in order to improve the security of my aws environment that has an ec2 instance that connect to an RDS in a private subnet, i use a SSH connection. i want to add a MFA to the SSH connection. i should be able to connect to EC2 without problem, but i wonder how would i connect to my RDS database that works on postgres for example, would i be prompted to input the verification code in Pgadmin?
here is a reference of the video to add MFA in EC2. but again the question is , would i still be able to use pgadmin?
https://www.youtube.com/watch?v=iOb6eZJqj-k
This MFA is not related to AWS. This MFA is just plugin for the PAM(
Pluggable Authentication Modules) in linux.
You can use it to enable MFA for SSH. This is optional authentication. It is better option to invest time to hide visibility of your VM to minimum and protect your private keys.
To improve your RDS security enable SSL in your database. After you enable it, your application (and user) requires the SSL certificate to connect your DB. You can read more in the PG docs: https://www.postgresql.org/docs/10/ssl-tcp.html
Important
You should never open phpPgAdmin to entire world. You have to limit it at least to VPN, better remove it from server and install(e.g. with docker) only when needed.
Related
I am moving from Google Cloud to AWS EC2. Issue I am experiencing is that I am unable to modify SSH keys in any shape or form.
This hinders testing a lot, since any bad key will cause me to redo the key assignation to the instance, etc etc.
I created the keypair directly from AWS (.pem), cannot connect through SSH (Catalina) Permission denied (publickey).
Same when I import the to AWS from my computer. AWS accepts them ok, but then SSH refuses to work.
When I was setting up Google Cloud, I had to match the comment of the public key to the username of the account. Is there anything else like that in EC2?
I would check out connect via Systems Manager service(SSM) and you can connect to your instance via the browser Connect to Linux Instance via SSM
I have a GO server on an EC2 instance on AWS with the same VPC as my Postgres database. I'm currently able to get the server communicating with the Postgres database by reading the password from an environment variable, but I'm not sure if this is the right way to be handling this. Is there a way I can have the server communicate with the database without having the password stored in plain text?
There is no need to use your database password to connect the server with the database. Enable IAM authentication in your RDS, and attach that role with the EC2 server running the go server.
You can easily find the implementation details here.
Connecting to AWS RDS from java without exposing password
I got problem. I did opened server from the AWS EC2 AMAZON. Its gived me .pem file. With putty key generator i did changed it to .ppk file. I want to connect my server without .ppk or .pem or any like that file. How can i remove this security check point? Thanks.
Best Regards.
You need to authenticate using the private ssh key when you connect to an EC2 instance. If you don't want to do that, then there are two choices
Recommended : To use new AWS web console ssh connection to your EC2 instance
This is quite a new feature introduced by AWS to ssh into you EC2 instance from the web browser. In your EC2 view, select the instance and click on the Connect button
Not recommended Using password based authentication for a new user.
I wouldn't be providing details on this one as it is not secured to use password based authentication and your should ideally be using the ssh keys based auth.
On AWS, I know how to set up a web server with inbound rules allowing HTTP and HTTPS and a database security group that only connect to the web server. The issue is I need to create a front end to manage the databases without using Internet access - this will be internal only and precludes the use of a public IP / public DNS. Does anyone know how I would do this?
To further elaborate, some of our AWS accounts are for internal use only - we can log in to the console, use CygWin to SSH in, see what's there, etc. But these accounts are for development purposes, and in a large enterprise such as this one, these are not allowed an IGW. So - no inbound Internet access is allowed. How do I create an app (e.g., phpMyAdmin type) in which our manager can easily view and edit the data in the database given the restriction that this must be done without inbound Internet access?
Host your database on RDS inside a VPC and create a VPN connection between your client network and your VPC.
host your database on one EC2 and also upload your front end there. your database will be running on locally on EC2 and you can connect front end to database. where database will not have public DNS it will running locally you can access only using SSH and front end script.
you check this official documentation from aws : https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html
for frontend script you can use https://www.adminer.org/ which is one file database management system. one simple file is there using this make connection to locally running database on EC2
This task fell on my lap and I have no experience with Amazon aws. We run a simple informational site along with redmine (as a subdomain) using amazon aws and want to switch to simple helix. I have researched how to switch providers and I haven't found any posts that show how to do this step by step. Is there a simple way to move from Amazon aws to another provider? I think it would be best to create a duplicate of what we have on amazon aws on the simple helix server before totally dropping amazon aws. As far as I know I only have log in details to EC2 Console, no ssh log in details or FTP for amazon aws.
When an AWS instance is launched a public/private key pair is specified and installed in the running instance. You can find the name of the key-pair by looking at details of the instance in the console. Check for "Key pair name".
Hopefully, you'll have the private key of that pair somewhere at hand. If it's lost I'm not sure how to recover it without tech support from Amazon.
If you have the private key then ssh is simple, just type:
ssh -i my.private.key -l ubuntu servername
or something similar and you're in.
FTP access might require opening up a port in the firewall. Look at the security group settings for the server to see what ports are open. Secure ftp is available if you can ssh into the machine using the same private key.