I am setting up a new EC2 Amazon Linux 2 AMI and am having a try at setting up EC2 Instance Connect as it's preinstalled on my new instance.
From what I've understood the docs to mean, I should be able to create an IAM user, add a public key to that user and then SSH into the box using the IAM user's (public) key without having to create the .ssh folder on the EC2 instance.
What I've done is:
Create a user on the EC2 instance which my IAM user should map to (let's call him bob)
Uploaded my public OpenSSH key to the IAM user
Created a permission policy which allows the action ec2-instance-connect:SendSSHPublicKey (as per the docs)
Once these are all done, if I try to SSH into the box, it doesn't work and in my /var/log/secure I see a preauth failure.
If I create the .ssh/authorized_keys file and set the permissions correctly, everything works fine.
However, my understanding of the EC2 Instance Connect approach is that it gives me a central way to manage public-key based access to my instances.
Am I correct?
Am I missing something in how I'm setting this up?
I'm finding the documentation a little unclear, so some insight would be helpful.
Thank!
EC2 Instance Connect works as follows:
You issue a command that pushes a temporary public key to the instance, such as:
$ aws ec2-instance-connect send-ssh-public-key --instance-id i-001234a4bf70dec41EXAMPLE --availability-zone us-west-2b --instance-os-user ec2-user --ssh-public-key file://my_rsa_key.pub
You then establish an SSH connection to the instance using the private half of the keypair
Within the instance, the EC2 Instance Connect software interfaces with the ssh process and checks whether the SSH key provided matches the public key that was pushed with send-ssh-public-key (and it is within 60 seconds of receiving that key)
If they match, the SSH session is permitted
See: Connect Using EC2 Instance Connect - Amazon Elastic Compute Cloud
EC2 Instance Connect also provides a web-based interface that can both initiate the above process (using a temporary random keypair) and provide an SSH interface. When doing so, the SSH connection appears to come from within AWS, not your own IP address. This is because the web interface uses HTTPS to AWS, then AWS establishes the SSH connection to the instance. This has an impact on security group configuration.
Related
I would like to SSH into my Amazon Web Services (AWS) Cloud9 Elastic Cloud Compute (EC2) environment, but there is no key pair assigned to the Cloud9 EC2 environment. How can I assign a key pair to that environment, so that I can SSH into it?
I created the AWS Cloud9 EC2 environment through the Cloud9 interface, rather than creating the EC2 environment and then accessing it through Cloud9. When I create EC2 environments normally, I am given the opportunity to assign an existing key pair, or create a new key pair. This option was not presented to me when I created the environment through Cloud9.
You can SSH into a Cloud9 environment created through Cloud9. The steps are similar to sharing a running app over the internet in the docs, but instead of sharing the app, you share the SSH server.
In AWS Console, find the corresponding EC2 instance.
In the bottom panel, under the Description tab, in Security groups row, click on the link to go to associated security group.
You should now be in Security Groups section. In the bottom panel, under the Inbound tab, click Edit and add:
Type: SSH
Source: Anywhere
and click Save.
In Cloud9 terminal, add your public key to ~/.ssh/authorized_keys. Don’t replace the existing keys or elsewise Cloud9 IDE wouldn’t be able to connect to the instance.
You can now SSH into the Cloud9-managed instance using ssh ec2-user#<ip>, or ssh ubuntu#<ip> if using Ubuntu AMI, for other AMIs see default user name for the AMI
Cloud9 is managing the underlying EC2 for you so you won't get any extra charges.
A terminal is already provided by AWS but you could follow this procedure if you still want to get SSH access to a Cloud9 environment.
I created an Elastic Beanstalk environment from Visual Studio and need to login to service the underlying ec2 vm.
I don't have an credentials for the server, so I wanted to use EC2 Instance Connect.
When I click connect, I get an error message:
We were unable to connect to your instance. Make sure that your instance’s network settings are configured correctly for EC2 Instance Connect. For more information, see Task 1: Configure network access to an instance.
Following the link, I found the instructions:
Ensure that the security group associated with your instance allows inbound SSH traffic on port 22 from your IP address or from your network.
(Amazon EC2 console browser-based client) We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service. Use the EC2_INSTANCE_CONNECT filter for the service parameter to get the IP address ranges in the EC2 Instance Connect subset.
How do I connect to the Elastic Beanstalk underlying EC2 via EC2 Instance Connect?
What I've tried:
I created a new security group that contains my client IP address, but that didn't work. Which makes sense, as it's the EC2 Instance Connect app running in the Console making the SSH connection, not my local machine.
Also looked at the the ip ranges json file (https://ip-ranges.amazonaws.com/ip-ranges.json), but not sure what to do with that.
I misunderstood the Set up EC2 Instance Connect instructions. This support article had clearer instructions: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-connect-troubleshooting/
Browser-based SSH connections require that your instance's security group inbound rules allow EC2 Instance Connect access to SSH on TCP port 22.
The key was to find the IP for EC2 Instance Connect and then create
a security group to whitelist that ip address.
EC2 Instance Connect IP can be retrieved via PowerShell by using Get-AWSPublicIpAddressRange (or curl). For us-west-2:
> Get-AWSPublicIpAddressRange -Region us-west-2 -ServiceKey EC2_INSTANCE_CONNECT | select IpPrefix
IpPrefix
--------
18.237.140.160/29
Once I configured my Security Group to use that Source I could connect.
Generally better way then using EC2 Instance Connect is through SSM System Manager. It does not require opening any inbound ports. Instead you should add/modify your install role to allow SSM to work. What's more you can control access to your instance using regular IAM permissions, unlike for EC2 Instance Connect.
Connection through SSM is in the same menu in the AWS console as EC2 Instance Connect. Thus, once you setup your instance role, wait few minutes for the instance to register with SSM, and once this happens you should be able to use SSM System Manager to connect to your instance from the console.
Regarding EC2 Instance Connect IP range. I don't know which range published applies only to EC2 Instance Connect. You would have to filter it by region probably and then find one which works. In worse case scenario its try-and-see approach.
I have inherited a webserver on AWS running an EC2 instance
which is inherited via CloudFront.
I want to SSH in, but there is no keypair assigned to the EC2 instance.
The previous dev is not very helpful - all he told me was "use cloudfront".
Looking into CloudFront - I saw nothing that indicated I could SSH in that
way. Did I miss something?
Is it possible for me to access the instance via SSH without a private key
via Cloudfront?
I would appreciate any help
You can't ssh into your instance through CloudFront. If you don't have the private key to ssh, there are some options you can use:
Try EC2 Instance Connect which is a web-based ssh client. It will not ask for private key, if it works.
Try AWS Systems Manager Session Manager which is also web client. This will work even if the instance was launched without any ssh client. You will need to read up on how to set it up as it requires special instance role, and the ability of the instance to connect to the SSM service.
Use AWSSupport-ResetAccess SSM Automation to reset the ssh key for the instance.
Use recovery instance as shown in the official AWS video.
The best options would be to try 2 and 1. But depending on how the instance is setup, is it in private or public subnet, does it have internet access, is it Amazon Linux 2 or some non-standard AMI, what kind of roles it has, etc., you may need to perform extra steps to make it work.
Options 3 and 4 will require downtime and making backup before you attempt them would be good choice. Options 1 and 2 may work without any downtime, depending on the instance current setup.
I need that all instances that I launch in a public subnet of a VPC can access via SSH without providing a .pem, just with its private IP. Additionally, I need to create an OpenVPN server in one of them so anyone that can access to the subnet via VPN can access to any instance via SSH without providing a .pem using its private IP too.
I do not know if this is possible, but if there is another way to do that I would appreciate it if you could tell me.
Yes, it's possible, you can access your instances without .pem file by using AWS System Manager.
Use Session Manager service of AWS System manager through the AWS console page.
Session Manager: Users who want to connect to an instance with just one click from the browser or AWS CLI without having to provide SSH keys.
A user who wants to monitor and track instance access and activity, close down inbound ports on instances or enable connections to instances that do not have a public IP address.
I have an existing AWS Ubuntu EC2 instance (instance_1) with remote ssh access via a public IP address, using my own private/public keys. I create an AMI from this instance using the console, and then launch a new EC2 instance (instance_2) using this AMI. remote ssh to instance_2 (via its own public IP address) then works exactly as for instance_1.
I then use boto3 to create an AMI instead of the console and then launch another EC2 instance (instance_3). ssh authentication fails (Permission denied) on instance_3.
Any idea why the behaviour is different when the AMI is created with boto3 instead of the console? The credentials used with boto3 allow full administrator access using policy arn:aws:iam::aws:policy/AdministratorAccess.
The code to create the AMI:
ec2_client = boto3.client('ec2', region_name=region)
response = ec2_client.create_image(InstanceId=instance_id, Name=ami_name)
new_image_id = response['ImageId']
To diagnose the problem, first check the keypair of the EC2 instance you attempt to connect.
If everything fails (which is rare), you can detach the instance and turn in into standard volume, then mount it from another instance to validate or replace ~/.ssh/authorized_keys .