I am selling a software that runs on EC2 instances. It creates an instances, performs the job and terminates.
A client is interested in my software but he needs to run it in his AWS environment.
Is there a way I can prevent anyone to connect SSH, web terminal, etc. to the running EC2 instance?
(The instance must be connected to internet and will be in a VPC)
I have read that I can disable Session Manager.
Thanks
Other than running this on AWS account customer does not have access to, it will be very tricky to accomplish this.
Even when you create an instance without keys, or do not handle keys to the customer, they will be able (given sufficient permissions), to create AMI from that server and choose different key during provisioning.
Related
Many different AWS services use EC2 instances and you can understand that from the pricing pages.
Basically it's a multi-instance architecture (and not the more familiar multi-tenant approach that I personally use for most web applications).
When an AWS customer creates a new resource, internally AWS has to spin up a new EC2 instance, configure it, monitor its status and apply security patches and updates.
Does anyone know how do they connect to the VM to configure it?
Do they use SSH to connect or another protocol?
Or they use some kind of agent installed on the VM on first installation in order to apply the updates and changes?
Note: this question doesn't want to discuss the details of managing a database, I just want to know how AWS applies and updates the configuration of the EC2 instances when they offer a "managed" service (any service).
I was talking to one of my friends on talk on API access. So let us say I have given one AWS account read-only access to my resources, say ec2. And that account tries to scan all the metadata for my ec2 instances. Per my friend, this API call belongs control plane and connects to the AWS API ec2 endpoint over the internet. As per him, this call can not be blocked by any number of VPC controls like NACLs/Security Group, etc. As per him, any data plane calls only goes to VPC. I was kind of agree but still not very convinced that scanning ec2 instances call like listing all instances can not be blocked ..say I have given read-only permission and still wants to block that account ...so is this true that VPC controls do not project that call further. Please help me to understand better ...in case I am in my corporate network and my consuming account, which wants to scan my ec2 instances if SAAS provider.
The Amazon EC2 service is responsible for creating and managing Amazon EC2 instance, VPCs, networking, etc. The API endpoint for the EC2 service reside on the Internet. Permission to make API calls is controlled by AWS Identity and Access Management (IAM).
This is totally separate to the ability to connect to an Amazon EC2 instance. Any such connections would go via a virtualized network VPC.
For example, imagine an Amazon EC2 instance that is turned off (that is, in a Stopped state). There are no actual resources assigned to a Stopped instance -- it is just some metadata sitting in a database. It would not be possible to 'connect' with this instance because it does not exist. However, it would be possible to connect to the AWS EC2 service and issue a command to Start the instance. This API call is made via the Internet and does not require any connectivity to the VPC.
Your wording that "any data plane calls only goes to VPC" is not correct -- the calls go to the EC2 service and do not involve the VPC. The VPC is purely a network configuration that determines how resources can communicate with each other.
I have inherited a webserver on AWS running an EC2 instance
which is inherited via CloudFront.
I want to SSH in, but there is no keypair assigned to the EC2 instance.
The previous dev is not very helpful - all he told me was "use cloudfront".
Looking into CloudFront - I saw nothing that indicated I could SSH in that
way. Did I miss something?
Is it possible for me to access the instance via SSH without a private key
via Cloudfront?
I would appreciate any help
You can't ssh into your instance through CloudFront. If you don't have the private key to ssh, there are some options you can use:
Try EC2 Instance Connect which is a web-based ssh client. It will not ask for private key, if it works.
Try AWS Systems Manager Session Manager which is also web client. This will work even if the instance was launched without any ssh client. You will need to read up on how to set it up as it requires special instance role, and the ability of the instance to connect to the SSM service.
Use AWSSupport-ResetAccess SSM Automation to reset the ssh key for the instance.
Use recovery instance as shown in the official AWS video.
The best options would be to try 2 and 1. But depending on how the instance is setup, is it in private or public subnet, does it have internet access, is it Amazon Linux 2 or some non-standard AMI, what kind of roles it has, etc., you may need to perform extra steps to make it work.
Options 3 and 4 will require downtime and making backup before you attempt them would be good choice. Options 1 and 2 may work without any downtime, depending on the instance current setup.
I have an application hosted on AWS EC2 instance. Few developers access the instance via shell to do maintenance on the application. How can I limit them from accessing/downloading content from other websites through the EC2 instance? My end goal is to allow developers to access the instance via shell to do code management/deployment/maintenance and nothing else. Developers may change over time so I'm not sure if outgoing rules can be defined based on IP addresses. Any idea? Thanks in advance.
I have logged in to my amazon ec2 instance, using putty(as I am using windows). Now, I want to connect to another ec2 instance from here.
What is the process ?
I am new to Cloud computing, so can you please tell me the steps clearly?
You are looking to create an SSH tunnel, i.e. connect from your machine to a third machine, via an intermediate machine.
THis is often done for security purposes and the middle box is usually called a bastion host or jump box.
Here is some pretty detailed instructions:
https://linuxacademy.com/howtoguides/posts/show/topic/17385-use-putty-to-access-ec2-linux-instances-via-ssh-from-windows