iOS companion setup
A one-time AWS setup that lets your iPhone reach your Mac from anywhere — without opening any inbound ports on your network or on AWS.
How it works
Your Mac sits behind your home or office NAT and can't accept inbound connections directly. Cairn solves this with a small EC2 instance in your own AWS account that acts as a meeting point. Both your Mac and your iPhone reach it outbound, through AWS EC2 Instance Connect Endpoint (EICE) — an IAM-authenticated tunnel that AWS recommends for bastion-style access.
t3.micro jump host is AWS Free Tier eligible for the first 12 months on a new AWS account. After that, expect ~$3–5/mo for the instance plus a small EBS volume. EICE itself charges nothing for the endpoint or tunnel hours.1Create or sign in to an AWS account
If you don't already have one, create an AWS account. The Free Tier covers everything Cairn provisions for the first 12 months on a new account.
Cairn uses an isolated AWS account well; nothing else needs to live there.
2Install the AWS CLI and sign in
Cairn uses your local AWS CLI to provision the jump host on your behalf.
aws CLI ──► your AWS accountbrew install awscli- Create an IAM user in the AWS console with programmatic access, and copy its access key + secret.
aws configure --profile cairn
Optional: verify it worked
AWS_PROFILE=cairn aws sts get-caller-identity
Should print your account ID and the IAM user ARN.
3Provision the jump host
In Cairn, open Apps → Jump Host → Provision. That's it. Cairn runs an idempotent script that creates a security group with no inbound rules, an EC2 Instance Connect Endpoint, a free-tier t3.micro instance in your default VPC, and a hardened sshd (key-only, ed25519, fail2ban).
4Pair your iPhone
- Install Cairn Terminal from the App Store.
- On your Mac, open Apps → Pair iPhone. A QR code appears.
- Scan the QR with the iOS app.
Behind the scenes Cairn mints a per-iPhone IAM user scoped only to ec2-instance-connect:OpenTunnel on this one instance, generates a fresh SSH key for the device, and stores the credentials in the iOS Keychain (biometrically gated). Unpairing deletes the IAM user, which immediately revokes that iPhone at the AWS layer.
5You're done
From now on, opening Cairn on your iPhone connects through AWS to your Mac wherever it is. The reverse tunnel auto-recycles every ~50 minutes inside EICE's 1-hour limit, transparently.
Tearing it down
Open Apps → Jump Host → Destroy. Removes the instance, endpoint, security groups, and per-iPhone IAM users. Your AWS account is left as it was.
Questions, issues, suggestions
The public issue tracker and roadmap live at github.com/p10q/cairn.