My team has some EC2 instances and we all need SSH access to them. These instances were created with one IAM user and the credentials were assigned to that user. We do have the keys but how are you suppose to give SSH access to those instances to several users?
The only way I have managed to accomplish that is by securely sharing those keys but it feels like it's the wrong way to do it. So, what are the best practices regarding the access to EC2 instances to several users?
Take a look at the steps covered in the AWS Docs for managing user accounts on your EC2 instance.
The basic idea here is to add users directly to the instance itself (via sudo adduser).
Once each of your users has an account and SSH key stored locally on the EC2 instance, they should be able to SSH into it as expected.
An option might be to create your EC2 instances as part of an AWS OpsWorks Stack.
AWS OpsWorks is a configuration management service that helps you configure and operate applications in a cloud enterprise by using Puppet or Chef
The advantage of using this is that Opsworks manages SSH key access to instances for multiple users, while allowing each user to manage their own SSH private keys. according to the docs:
For Linux stacks, AWS OpsWorks Stacks provides a simpler and more flexible way to manage SSH key pairs.
Each user registers a personal key pair.
They store the private key locally and register the public key with AWS OpsWorks Stacks, as described in Registering an IAM User's Public SSH Key.
When you set user permissions for a stack, you specify which users should have SSH access to the stack's instances.
AWS OpsWorks Stacks automatically creates a system user on the stack's instances for each authorized user and installs their public key. The user can then use the corresponding private key to log in, as described in Logging In with SSH.
Additionally, if you want to convert your existing setup:
You can also incorporate Linux-based computing resources into a stack that was created outside of AWS OpsWorks Stacks.
Amazon EC2 instances that you created directly by using the Amazon EC2 console, CLI, or API.
Related
I've outsourced development work to another company.
ATM they have AWS login details and EC2 instance key pair ( root user )
Once they deliver project, I don't want them to have access to either of AWS and/or EC2, how to achieve the same ?
For AWS I can set 2FA and change password
How about EC2 instance ? Their developer still has key pair with him.
I looked into AWS documentation but didn't understand how to manage permission properly.
I'm new to AWS and EC2, please help with this basic queries
You should not allow any user to access your EC2 instance with root key.
Normal practice:
Ask outsource developer to give his public key
Add his public to EC2 instance in authorized keys
Once the project is done to remove his public key from the ec2 instance.
Best practice in case of AWS:
Register instance in OpsWork stack
Ask user for his public key
Add user in the OpsWork stack as he is already AWS user
He will able to access the instance
So once the project, Delete the user from Ops work and AWS, his access will be revoked. In this case you do not need to change anything on instance side, AWS OpsWork will take care of it.
For AWS I can set 2FA and change password
Better to create IAM user for him, once the project is done delete that user.
I have a scaling group of several EC2 instances.
I have API keys which I would like to distribute to the instances using round-robin.
How can I code the instances to get the credentials once they go live?
Is there an AWS service for that?
It is not AWS credentials which could be solved by defining IAM Roles.
Thanks
Use "user data" option when you start your EC2 instance, You can run the bash script.
I recommend the following step.
1-put your cred or other shared information to S3 or dynamoDB.
2-write script to read and setting this data when your EC2 was starting.
The closest thing AWS has to this is called IAM Roles. A role includes a set of IAM permissions (like an IAM user). When you start a VM, you can set the role of the VM. The VM can then call the AWS API and get temporary credentials that give it access to the services that are defined in the IAM role.
See here for more details:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
This does not exactly meet your requirement for round-robin credentials distribution. But it might be a better option. IAM roles are as secure a method of distributing credentials to EC2 instances as you can get.
AWS now provides two services that could be used for that purpose:
The Secrets Manager would seem to be the most fitting, but does cost money from the start.
The Parameter Store is also an option and is free for up to 10k parameters.
There are many users in my Amazon IAM. All of them added to admin group. May I deny used Amazon CLI for all and allow only one don't change group memberly?
Thank you.
It sounds like your situation is:
Your users are authorized to have access to an Amazon EC2 instance via their EC2 Key Pairs
The EC2 instance was launched with a Role that has been given certain permissions
Any user who logs into the EC2 instance can therefore run AWS Command-Line Interface (CLI) commands that take advantage of permissions assigned to the Role
You do not want all users to have such permissions
If you do not want all users to have such permissions, then you should not assigned a Role to the EC2 instance. Instead, provide IAM credentials separately to each application on the server (although that can be a lot of effort in itself).
Another option is to allow users to use the applications (eg via an exposed port, such as a web server) but do not allow them to login to the instance.
I am adding multiple servers on AWS and I want to have a better way of managing SSH keys than I have in the past. I think AWS has a service built for this, through their IAM, management system, but I am not sure.
Is it possible to store one key in AWS and have all of the servers use that key for my account? For example, if we have three users, I would like to give all of them access to the servers with their own keys - but they wouldn't have to setup a key on each server as we normally would. If one of those users left the organization, I would like to disable their account to ensure the server isn't SSH'd into.
Is that possible, or am I misunderstanding AWS' key management possibilities?
No, it is not possible to control SSH keys with IAM. In a very broad sense, SSH key is for shell access, IAM is for AWS API access.
There may be other ways to do what you are trying to accomplish. What I do is write few ansible scripts to automate this. Ansible makes it very simple to do these tasks using Ansible's ec2 module
Script 1: Launch an instance, add the users and their public keys
Script 2: Delete the user's account on all machines or move/remove the user's authorized_keys file
Like I said Ansible knows the inventory and deletes/disables the user on all machines.
I have a use case where in I have installed a private instance of webpagetest http://www.webpagetest.org on EC2 . Now I want to enable autoscaling of the webpagetest AMIs . Now for autoscaling the AMI , I need to mention the AWS secret key and access key here in the configuration. https://github.com/WPO-Foundation/webpagetest/blob/master/www/settings/ec2.ini.sample
Now the team that handles AWS in my organization are hesitant to give me the keys.
Is there a work around for problem like this. Can the keys be shared in some other way.
The proper way to do this is to create an IAM role, and assign it to the EC2 instance.
You can't assign a role to an existing instance, so you will have to recreate your instance.
The AWS documentation for this is available here