I have an AMI I made on an account I use for teaching. I would like to copy and use that AMI on my private account. I figured it would just be as easy as downloading from one account and uploading to the other but I can't find a download option (supposedly there are some things available in s3). I tried to edit the permissions and add the account id for the root user of my private account and that didn't work either.
Is it possible to share a private AMI with another user on another management console?
You need to use the modify-image-attribute console command to change the launch permission to add another user ID
Related
I have an AWS account and I bring someone access to one EC2 instance, all he has is only a pem file and the username and host. So he can connect with ssh without any AWS account.
I want to give him an option to turn on/off the instance. I can do it with AWS-CLI but I use my secret key for it and I don't want to give it to him.
I thought maybe to run a little instance with AWS-CLI with my secret key and enable him to do it with some website run on this little instance such that he will have a UI system via the browser and he will click on the button POWER ON and this is will run the right command with AWS-CLI
Is there any tool I can do it simply?
Thanks
I thought maybe to run a little instance with AWS-CLI with my secret
key and enable him to do it with some website run on this little
instance such that he will have a UI system via the browser and he
will click on the button POWER ON and this is will run the right
command with AWS-CLI Is there any tool I can do it simply?
That is certainly possible, but you would have to write some custom code, build that custom website, etc..
An easier method would be to simply create an IAM user in your AWS account, with only API access, and only give it an IAM policy that lets them start and stop that one instance.
You could create an API Gateway linked to an AWS Lambda function. Then, create a static web page in Amazon S3 that simply contains two links -- one for turning ON the instance, the other for turning OFF the instance.
The user could go to that page and click the appropriate link. This would trigger the AWS Lambda function, which can call StartInstances() or StopInstances() to control the instance.
This would not be a suitable solution for a commercial service because you would need authentication, but it is sufficient for use by a single 'trusted' user.
This is a simple example of how I did it:
I've outsourced development work to another company.
ATM they have AWS login details and EC2 instance key pair ( root user )
Once they deliver project, I don't want them to have access to either of AWS and/or EC2, how to achieve the same ?
For AWS I can set 2FA and change password
How about EC2 instance ? Their developer still has key pair with him.
I looked into AWS documentation but didn't understand how to manage permission properly.
I'm new to AWS and EC2, please help with this basic queries
You should not allow any user to access your EC2 instance with root key.
Normal practice:
Ask outsource developer to give his public key
Add his public to EC2 instance in authorized keys
Once the project is done to remove his public key from the ec2 instance.
Best practice in case of AWS:
Register instance in OpsWork stack
Ask user for his public key
Add user in the OpsWork stack as he is already AWS user
He will able to access the instance
So once the project, Delete the user from Ops work and AWS, his access will be revoked. In this case you do not need to change anything on instance side, AWS OpsWork will take care of it.
For AWS I can set 2FA and change password
Better to create IAM user for him, once the project is done delete that user.
I want the users want to use the private [shared from another account] or owned AMIs only. I've tried searching in the AWS documentation and stckoverflow. Does any one know if this can be done?
Thanks
You cannot restrict permissions for specific users within the specified AWS account. All users in the AWS account that you've specified can use the AMI or snapshot. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html
I believe you can restrict to certain AMIs by following this document:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#ex5
The 2nd example includes a policy that specifies a list of AMIs that can be launched, while the 3rd example show how to restrict to just Amazon AMIs.
I've created a user "developer" on my amazon ec2 instance with restricted privileges and I've assigned him a password. Now I want allow him to connect to my instance (via ssh or sftp) and let him do something small like upload some files in a specific folder and I don't want let him play with my server like an administrator. How can I do it if I provide him the instance .pem key?
Can I give him the .pem key and force him to login using the developer account?
Accounts granted in AWS (with IAM) are independent of user accounts on a given instance. IAM account give the user access to parts of AWS defined by the policy associated with the group or user.
If you want to give someone access to the instance, you can have them generate their own personal keypair (ssh-keygen or puttygen). You will take the public part of the keypair and add it to the ~/.ssh/authorized_keys file of the user you want them to login as.
You can use IAM groups and users. The documentation is here.
IAM allows you to generate separate access keys for users with restricted usage rights.
There was a step missing in the leading answer. I added: You also need to add the public key on the AWS console under "Network & Security" -> "Key Pairs".
I'd add this as a comment, but don't have enough cred points yet.
This is what I am trying to do:
We have IAM in place and each user logs in to the AWS console with his/her respective email address and create the EC2 instance. I being the Administrator, when I login to AWS console, I see a whole bunch of Instance created and many of them are not even utilized. However, I am not able to figure who created those instances.
Question:
Is there a way to map EC2 Instances with the email address of the user who created it? I have thoroghly explored EC2 CLI but it was of no help. Is there a way to do this via SDK? OR did I overlook something?
Thanks.
To keep it simple without having to use an SDK outside of the CLI, you could create the tag "Owner" and have your users tag their instances they create with their name/email. You can then click on the "Show/Hide" button in the EC2 Management Console to add your tag to the other data that is shown in the console. It allows you to filter and sort instances by the value of the tag. This isn't a fail proof solution since it depends on your users to create the tags, but it is simple.