I want to SSH AWS EC2 instance but by just only my computer, like SSH over the key. Only my computer can ssh into that instance. How can I configure it?
Thanks.
A common way to achieve that is to setup security group of your instance so that only your IP can access the instance:
Rules to connect to instances from your computer
As Marcin already answered, you should use security group to restrict access to your IP only. However, whenever you change the network, you have to manually edit that security group again.
One solution would be restrict access using mac address using firewall, something like this:
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j DROP
A solution that doesn't require you to frequently update your security groups with your IP address is to use SSH through AWS Session Manager. Using SSH through Session Manager works exactly like a normal SSH connection. The SSH through Session Manager solution works by creating an SSH tunnel through your Session Manager connection. You can control access to your instance using IAM by restricting which AWS users can call StartSession on your EC2 instance. In your case, you can configure access to Session Manager only to the IAM User you configure on your computer.
You may even want to consider using Session Manager on it's own because that also allows you to connect to your instance and run commands... but using SSH through Session Manager gives you the security benefits of Session Manager and the familiarity of SSH. Session Manager allows you to connect to your EC2 instance without opening inbound ports on your security groups so it is more secure from a networking point of view especially if you have a publicly reachable instance. It uses normal HTTPS traffic so your instance will only need outbound access to the SSM Session Manager endpoints.
More details on how SSM Session Manager works here.
Related
I created an Elastic Beanstalk environment from Visual Studio and need to login to service the underlying ec2 vm.
I don't have an credentials for the server, so I wanted to use EC2 Instance Connect.
When I click connect, I get an error message:
We were unable to connect to your instance. Make sure that your instance’s network settings are configured correctly for EC2 Instance Connect. For more information, see Task 1: Configure network access to an instance.
Following the link, I found the instructions:
Ensure that the security group associated with your instance allows inbound SSH traffic on port 22 from your IP address or from your network.
(Amazon EC2 console browser-based client) We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service. Use the EC2_INSTANCE_CONNECT filter for the service parameter to get the IP address ranges in the EC2 Instance Connect subset.
How do I connect to the Elastic Beanstalk underlying EC2 via EC2 Instance Connect?
What I've tried:
I created a new security group that contains my client IP address, but that didn't work. Which makes sense, as it's the EC2 Instance Connect app running in the Console making the SSH connection, not my local machine.
Also looked at the the ip ranges json file (https://ip-ranges.amazonaws.com/ip-ranges.json), but not sure what to do with that.
I misunderstood the Set up EC2 Instance Connect instructions. This support article had clearer instructions: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-connect-troubleshooting/
Browser-based SSH connections require that your instance's security group inbound rules allow EC2 Instance Connect access to SSH on TCP port 22.
The key was to find the IP for EC2 Instance Connect and then create
a security group to whitelist that ip address.
EC2 Instance Connect IP can be retrieved via PowerShell by using Get-AWSPublicIpAddressRange (or curl). For us-west-2:
> Get-AWSPublicIpAddressRange -Region us-west-2 -ServiceKey EC2_INSTANCE_CONNECT | select IpPrefix
IpPrefix
--------
18.237.140.160/29
Once I configured my Security Group to use that Source I could connect.
Generally better way then using EC2 Instance Connect is through SSM System Manager. It does not require opening any inbound ports. Instead you should add/modify your install role to allow SSM to work. What's more you can control access to your instance using regular IAM permissions, unlike for EC2 Instance Connect.
Connection through SSM is in the same menu in the AWS console as EC2 Instance Connect. Thus, once you setup your instance role, wait few minutes for the instance to register with SSM, and once this happens you should be able to use SSM System Manager to connect to your instance from the console.
Regarding EC2 Instance Connect IP range. I don't know which range published applies only to EC2 Instance Connect. You would have to filter it by region probably and then find one which works. In worse case scenario its try-and-see approach.
I have inherited a webserver on AWS running an EC2 instance
which is inherited via CloudFront.
I want to SSH in, but there is no keypair assigned to the EC2 instance.
The previous dev is not very helpful - all he told me was "use cloudfront".
Looking into CloudFront - I saw nothing that indicated I could SSH in that
way. Did I miss something?
Is it possible for me to access the instance via SSH without a private key
via Cloudfront?
I would appreciate any help
You can't ssh into your instance through CloudFront. If you don't have the private key to ssh, there are some options you can use:
Try EC2 Instance Connect which is a web-based ssh client. It will not ask for private key, if it works.
Try AWS Systems Manager Session Manager which is also web client. This will work even if the instance was launched without any ssh client. You will need to read up on how to set it up as it requires special instance role, and the ability of the instance to connect to the SSM service.
Use AWSSupport-ResetAccess SSM Automation to reset the ssh key for the instance.
Use recovery instance as shown in the official AWS video.
The best options would be to try 2 and 1. But depending on how the instance is setup, is it in private or public subnet, does it have internet access, is it Amazon Linux 2 or some non-standard AMI, what kind of roles it has, etc., you may need to perform extra steps to make it work.
Options 3 and 4 will require downtime and making backup before you attempt them would be good choice. Options 1 and 2 may work without any downtime, depending on the instance current setup.
Generally, any traffic to an EC2 instance will pass through the Security Group attached to the interface of the EC2 instance. However, when an SSH connection to an EC2 instance is established via AWS Session Manager, Security Groups have no impact. How is the traffic reaching the EC2 instance if not via the instance's interface (& Security Group)?
To use session manager you need the SSM agent running on your instances. This opens a bi-directional pipe out (this is critical, it does not listen on any ports) to the SSM service. This is then used to piggy pack signals over.
So when you make the ssh connection from your local machine to the instance via session manager, it is tunnelled over this connection.
A little extra information from AWS here: https://forums.aws.amazon.com/thread.jspa?threadID=270976
Recently new SSH access method comes up on AWS Console.
Just I select my instance and click connect button and SSH web console shows up!
But if I wanna using that I have to set security group source from all.
When I set that just from my IP. SSH web console doesn't work.
I don't want to set that from all.
How can I set that just from aws network or my ip?
I think you mean SSH connection (not SSL; I edited your question to change that) through EC2 Instance Connect. This would explain why it does not work when you use your IP.
To limit SSH traffic when using EC2 Instance Connect you have to use AWS API ranges for the service:
(Browser-based client) We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service. Use the EC2_INSTANCE_CONNECT filter for the service parameter to get the IP address ranges in the EC2 Instance Connect subset.
Thus, you have to allow IP ranges used by the service, not your home/work address.
I have an RDS instance that only accepts incoming requests from my EC2 instance. I want to connect MySQLWorkbench to the RDS instance, however, I use a VPN, and don't want to allow a specific IP address access to the RDS, as my local IP address changes frequently. Can I connect to my RDS instance using a PEM key or similar approach?
Yes, MySQL Workbench allows you to connect to databases using Standard TCP/IP over SSH
Since you've got an EC2 instance running, simply use the EC2's public IP, username and you can use the PEM as an authentication method.
ssh -o "ExitOnForwardFailure yes" -p 22 -fN ec2-user#123.456.789.XXX -L localhost:3360:rds-conn-url:3306
This is a non-login shell (N) so your terminal will hang when connected.
Alternatively, if you're using a Unix based system, you can make SSH tunnel to the EC2 instance and then use the port binding with Standard TCP/IP connection