we have a Windows EC2 instance created. We have a need to remote desktop into the instance occasionally to execute a PowerShell script that updates Microsoft's Power BI Gateway. This is all implemented in a sandbox environment. We're looking at steps/actions to implement in a production environment. From research, I have found that we need to have a different key pair for each user. I think this makes sense. But, the logistics of implementing this is beyond my knowledge. I have some basic questions that perhaps can help steer me in the right direction:
How do I generate a key pair for each user? Where would these be maintained? How do I assign the key pair by user? Do I need to create a new user in the IAM console?
Is there a way to rotate the key pairs?
An instance can only have a single key pair associated with it at a time. Does this mean that after each use, I should detach my key pair and the next user needs to attach their key pair? This all seems very manual.
This is the first I've had to deal with virtual servers and security management of said server. But, it seems that AWS would offer a service that automates this process?
Thank you.
Use AWS Systems Manager Run Command to automate common admin tasks across your EC2 instances.
When a Windows Amazon EC2 instance is launched, a random Administrator password is generated.
This password is then encrypted using the keypair selected when the instance is launched. You can access it via "Get Windows Password", and supplying the keypair.
Once you login, you are welcome to change the Administrator password or connect the instance to Active Directory.
You can also create additional Windows logins for your other users.
So, your choice is to either "share" a login for whoever needs to run the script, or give them each their own Windows login and their own password.
I also like #jarmod's idea of using the Systems Manager Run Command to execute a script without logging in!
Related
I have an AWS account and I bring someone access to one EC2 instance, all he has is only a pem file and the username and host. So he can connect with ssh without any AWS account.
I want to give him an option to turn on/off the instance. I can do it with AWS-CLI but I use my secret key for it and I don't want to give it to him.
I thought maybe to run a little instance with AWS-CLI with my secret key and enable him to do it with some website run on this little instance such that he will have a UI system via the browser and he will click on the button POWER ON and this is will run the right command with AWS-CLI
Is there any tool I can do it simply?
Thanks
I thought maybe to run a little instance with AWS-CLI with my secret
key and enable him to do it with some website run on this little
instance such that he will have a UI system via the browser and he
will click on the button POWER ON and this is will run the right
command with AWS-CLI Is there any tool I can do it simply?
That is certainly possible, but you would have to write some custom code, build that custom website, etc..
An easier method would be to simply create an IAM user in your AWS account, with only API access, and only give it an IAM policy that lets them start and stop that one instance.
You could create an API Gateway linked to an AWS Lambda function. Then, create a static web page in Amazon S3 that simply contains two links -- one for turning ON the instance, the other for turning OFF the instance.
The user could go to that page and click the appropriate link. This would trigger the AWS Lambda function, which can call StartInstances() or StopInstances() to control the instance.
This would not be a suitable solution for a commercial service because you would need authentication, but it is sufficient for use by a single 'trusted' user.
This is a simple example of how I did it:
When I am trying to retrieve password for one EC2 instance from key pair, I am getting the below error, please help me how to retrieve the password.
Password is not available.
This instance was launched from a custom AMI, or the default password has changed. A password cannot be retrieved for this instance. If you have forgotten your password, you can reset it using the Amazon EC2 configuration service.
You have several options to change the password so that you can regain access to your Windows instance. This third method is now the recommended method - using AWS Systems Manager. Note: AWS Systems Manager can take a bit of time to understand. Once you do, you will have many new powerful commands.
Run a command to change the Windows password. This document will show you how to use Instance User Data. You will want to run a Windows command net user Administrator newpassword. Setup the script and then reboot the instance. The command runs on reboot.
Resetting the Windows Administrator Password Using EC2Launch
Reset Passwords and SSH Keys on Amazon EC2 Instances
I am adding multiple servers on AWS and I want to have a better way of managing SSH keys than I have in the past. I think AWS has a service built for this, through their IAM, management system, but I am not sure.
Is it possible to store one key in AWS and have all of the servers use that key for my account? For example, if we have three users, I would like to give all of them access to the servers with their own keys - but they wouldn't have to setup a key on each server as we normally would. If one of those users left the organization, I would like to disable their account to ensure the server isn't SSH'd into.
Is that possible, or am I misunderstanding AWS' key management possibilities?
No, it is not possible to control SSH keys with IAM. In a very broad sense, SSH key is for shell access, IAM is for AWS API access.
There may be other ways to do what you are trying to accomplish. What I do is write few ansible scripts to automate this. Ansible makes it very simple to do these tasks using Ansible's ec2 module
Script 1: Launch an instance, add the users and their public keys
Script 2: Delete the user's account on all machines or move/remove the user's authorized_keys file
Like I said Ansible knows the inventory and deletes/disables the user on all machines.
I have an EC2 production server running and i have a key.
Now we have some developers that need access to the server, but for security reasons i don't want to share our private key to the server because we will loose track of who has access to the server.
I have searched in amazons documentation for answers to this, but i can't find any solution there, i have also searched the stack overflow but can't find much other than people who lost there key pair.
Is there any way to make a temporary key for the EC2 instance? or any other way i can grant them temporary access to the server?
The same account cannot be shared by using different keys. The only way to give access is to create a new user and a new keypair. Once you decide the access has to be revoked, you have to delete that user. Adding and deleting an user is explained here: Managing User Accounts on Your Linux Instance
Keypairs are used to grant access to Amazon EC2 instances. They are public/private keypairs, typically randomly generated by EC2 but existing keypairs (or more specifically, the public half of the keypair) can be imported into EC2.
They are used as follows:
Windows: When starting Windows from a standard Windows AMI, a utility called Ec2Config randomly generates an Administrator password, encrypts it using the public half of the keypair, and passes it back through the System Log. Users must decrypt it using their private key. They can then login to Windows.
Linux: When starting Linux from a standard Linux AMI, the public half of the keypair is copied to .ssh/authorized_keys. Users can login via ssh by providing their private key.
(The reference to a 'standard' AMI is intentional -- AMIs created by other people will not necessarily have these utilities installed.)
In both situations, it is advisable that users then modify their instance to use their normal security standards. For example, Windows users should change the Administrator password, create additional users or, preferably, attach the instance to an Active Directory domain. Linux users should create additional users and install their standard keypairs in the authorized_keys file.
There should be no continuing need to use keypairs after the initial launch of the EC2 instance. Users should be using their own Username and password/keypair. It is not good practice to keep using the same password/keypair as initially created when the instance is launched.
Just think of the Amazon EC2 server as a "normal" server. What security would you normally put on a server to ensure that authorized users can login, but unauthorized users cannot? Go ahead and do the same thing with EC2.
I created and customized a Windows EC2 instance. I gave the Administrator account for this instance a custom password. Before creating an EMI from it, I used the EC2Config service to generate a new random password for the Administrator account. The AMI was created successfully. I was able to launch a new instance, decrypt the password, RDP into it. The new instance works fine.
My issue is I am unable to login to the original custom EC2 instance from which I created the AMI. I have tried the decrypted password, as well as the custom password I had originally set. This doesn't seem to be an RDP issue, as neither Powershell Remoting is working (PS Remoting was working before creating the AMI).
Can't the original instance be used again after creating an AMI from it?
ps: I don't have another user account on the original instance. Next time I will remember to create a second Admin account.
This seems to be the expected behaviour. This has more to do with Sysprep than with AWS. The EC2ConfigService even warns us about it - "Sysprep doesn't support retaining the Admin account password for Win Server 2008 onwards". Running Sysprep wipes out the password from the original instance. The recommended way is to create a separate user account with admin privileges and use that to login and manage the system.
RDP is disabled after sysprep.
You have to mount the ebs boot volume on a different server and use ec2Savior program to renable the RDP service in the registry, reattach to your server, and boot.