iOS companion setup

A one-time AWS setup that lets your iPhone reach your Mac from anywhere — without opening any inbound ports on your network or on AWS.

How it works

Your Mac sits behind your home or office NAT and can't accept inbound connections directly. Cairn solves this with a small EC2 instance in your own AWS account that acts as a meeting point. Both your Mac and your iPhone reach it outbound, through AWS EC2 Instance Connect Endpoint (EICE) — an IAM-authenticated tunnel that AWS recommends for bastion-style access.

Mac ──outbound──► AWS EICE ──► EC2 jump host ◄──outbound── iPhone IAM auth no public IP, IAM auth no inbound ports └────── reverse tunnel held by the Mac so the iPhone reaches it ──────┘
Cost. A t3.micro jump host is AWS Free Tier eligible for the first 12 months on a new AWS account. After that, expect ~$3–5/mo for the instance plus a small EBS volume. EICE itself charges nothing for the endpoint or tunnel hours.

1Create or sign in to an AWS account

If you don't already have one, create an AWS account. The Free Tier covers everything Cairn provisions for the first 12 months on a new account.

Cairn uses an isolated AWS account well; nothing else needs to live there.

2Install the AWS CLI and sign in

Cairn uses your local AWS CLI to provision the jump host on your behalf.

Your Mac ──► aws CLI ──► your AWS account
  1. brew install awscli
  2. Create an IAM user in the AWS console with programmatic access, and copy its access key + secret.
  3. aws configure --profile cairn
Optional: verify it worked
AWS_PROFILE=cairn aws sts get-caller-identity

Should print your account ID and the IAM user ARN.

3Provision the jump host

In Cairn, open Apps → Jump Host → Provision. That's it. Cairn runs an idempotent script that creates a security group with no inbound rules, an EC2 Instance Connect Endpoint, a free-tier t3.micro instance in your default VPC, and a hardened sshd (key-only, ed25519, fail2ban).

4Pair your iPhone

  1. Install Cairn Terminal from the App Store.
  2. On your Mac, open Apps → Pair iPhone. A QR code appears.
  3. Scan the QR with the iOS app.

Behind the scenes Cairn mints a per-iPhone IAM user scoped only to ec2-instance-connect:OpenTunnel on this one instance, generates a fresh SSH key for the device, and stores the credentials in the iOS Keychain (biometrically gated). Unpairing deletes the IAM user, which immediately revokes that iPhone at the AWS layer.

5You're done

From now on, opening Cairn on your iPhone connects through AWS to your Mac wherever it is. The reverse tunnel auto-recycles every ~50 minutes inside EICE's 1-hour limit, transparently.

Tearing it down

Open Apps → Jump Host → Destroy. Removes the instance, endpoint, security groups, and per-iPhone IAM users. Your AWS account is left as it was.

Questions, issues, suggestions

The public issue tracker and roadmap live at github.com/p10q/cairn.