I'm very new to AWS. I've just started a new job where I've been passed on all the credentials from the guy I've taken over from. So I have root access to the AWS console account, but with the former employees user name and password. He's also set me up with ssh credentials for the EC2 instance.
My problem however is he didn't give me admin privileges for the EC2 instance. So when I SSH in and try to upload code changes I get permission denied. Is there some way I can change my privileges through the AWS console? Coming from Digital Ocean so I'm completely at a loss here on what way to go about it.
AWS credentials control the management of AWS resources, such as the launching of EC2 instances. They aren't relevant at the OS level on a Linux (or Windows) instance. You may need to use sudo to elevate your privileges on a Linux instance.
Just a few things could work here :
Since you have all the credentials passed from the guy, it should include the key-pair for the instances. So if you have that, you could ssh using it like,
ssh -i "my-key-pair" ec2-user#ec2xxxxx.xxxx.compute.amazonaws.com
The default user, either 'ec2-user' or 'ubuntu', it has sudo privileges by default. Run following after logging in,
sudo -i
You could then edit sudoers file to make necessary permissions.
You could take an ami of the current running instance and launch a copy. While launching, create a new key-pair. Rest action can be same as in Plan 1.
Related
I need to create IAM user so that user can perform below tasks
Log Management & Audits
Intrusion Detection
Managed Backup
Centralized Anti-virus
Vulnerability Scanning
Monitoring
Hardened AMI (Amazon Machine Images)
I would like to know how this can be done in AWS management console. I am new to AWS
IAM users are users of the Amazon API/CLI/UI, not OS users. You can create an IAM user that can create EC2 instances, and on those instances there will be a default OS user that you can log in with using an SSH key you can provide. For Amazon Linux images the user will be called 'ec2-user', for other distributions it will be e.g. 'ubuntu' or 'centos', and they will have sudo privileges.
For all of the things you ask you need to be able to login on the instance itself via SSH. So you need to either share the default user's SSH key with that person, or you need to create a second user on the machine itself.
Here is my issue: I am far more familiar with ssh than with the aws cli, so when I ssh into an instance I can run 'whoami' and any command that is, seeing how i am ec2-user with root (maybe?) level of access then can I do the same thing as I can with aws cli, such as: create-instance, stop-instances ?
Even something more perverted and quite useless maybe: can i run aws cli once I am logged in the ssh? And since I am logged is using secret/key needed?
The AWS Command-Line Interface (CLI) is a Python program that uses the AWS SDK for Python to make API calls to AWS. These calls require AWS credentials that are linked to an AWS account.
AWS CLI calls (and any calls to the AWS API) can be made from any computer on the Internet, including your own computer and Amazon EC2 instances. The one benefit that Amazon EC2 instances have is the ability to assign an IAM Role to the instance, which can automatically provide credentials. Any other computer needs to store credentials in a file, which will be used when making API calls.
So, your aws commands will work on an Amazon EC2 instance if:
The AMI you select has the AWS CLI installed (all Amazon Linux AMIs have it installed)
An IAM Role has been assigned to the instance
Please note that the credentials used by ssh to login to an instance (ssh keypairs) are totally unrelated to the credentials used to make API calls to AWS (Access Key/Secret Key).
When I am trying to retrieve password for one EC2 instance from key pair, I am getting the below error, please help me how to retrieve the password.
Password is not available.
This instance was launched from a custom AMI, or the default password has changed. A password cannot be retrieved for this instance. If you have forgotten your password, you can reset it using the Amazon EC2 configuration service.
You have several options to change the password so that you can regain access to your Windows instance. This third method is now the recommended method - using AWS Systems Manager. Note: AWS Systems Manager can take a bit of time to understand. Once you do, you will have many new powerful commands.
Run a command to change the Windows password. This document will show you how to use Instance User Data. You will want to run a Windows command net user Administrator newpassword. Setup the script and then reboot the instance. The command runs on reboot.
Resetting the Windows Administrator Password Using EC2Launch
Reset Passwords and SSH Keys on Amazon EC2 Instances
I have two EC2 instances in same subnet but I when I am trying to ssh from one instance to another I am getting publickey denied message, it does not prompt password
[root#ip-10-0-21-156 ~]# ssh testuser#10.0.21.170
Permission denied (publickey).
By default, EC2 instances are configured to provide SSH authentication via public/private keys. So, just like you needed a private key (you likely downloaded the .pem file when you created the IAM keypair) installed on your local computer in order to SSH into the instance, you also need a private key installed on the instance in order to SSH from that instance into another instance.
What you didn't see behind the scenes was that when you launched the instance and specified the key-pair name, EC2 let you download the private key (.pem file), automatically created the user on the instance (e.g. on the Ubuntu AMI, the username is 'ubuntu' and on the Amazon Linux AMI, the username is 'ec2-user') AND it put the public key that matches the private key into the ~/.ssh/authorized_keys file. All of that needs to happen before you can SSH into an instance.
So, assuming you launched the two instances with the same keypair, in order to SSH from instance A to instance B, everything has been done for you EXCEPT for putting the private key (the .pem file) into the ~/.ssh directory. AWS considers keeping the private key on the instance a security risk and therefore does not do it automatically. So, simply put the private key into the .ssh directory on instance A and then add it to your keyring or you can specify the key in the ssh command like so:
ssh -i ~/.ssh/PRIVATE_KEY.pem USERNAME#INSTANCE_B_LOCAL_IP
All that said, it's generally a bad idea to keep private keys for other instances on an EC2 instance and if you find yourself needing to do that, you should likely rethink your architecture for whatever it is your doing (i.e. there are probably better ways of doing it).
Additionally, you really shouldn't be using the EC2 created user account (i.e. ubuntu# or ec2-user#) for normal day to day stuff or even to perform maintenance or other sysadmin work. You should really create your own account, because the EC2 created account is essentially a root account.
AWS recommends continuing to use public/private key authentication for all accounts, however you could switch to use password-based authentication and then not need to worry about the keys. This is inherently less secure than using key-based authentication, however given strict password requirements, you could increase security.
The only thing you will need to do when creating additional accounts (either password-based or key-based), is to make sure your personalized account has sudo access so you can sudo to do things that require root access. In Ubuntu, you can do this by adding the following line to the /etc/sudoers.d/90-cloud-init-users file:
USERNAME ALL=(ALL) NOPASSWD:ALL
While you're there, consider disabling the sudo access for the EC2 created username. Even though no one else will have the key, everyone will know that there is an ubuntu account that has sudo access. Just like with passwords, knowing the username is a substantial part of a hackers job.
Hope this helps.
I created and customized a Windows EC2 instance. I gave the Administrator account for this instance a custom password. Before creating an EMI from it, I used the EC2Config service to generate a new random password for the Administrator account. The AMI was created successfully. I was able to launch a new instance, decrypt the password, RDP into it. The new instance works fine.
My issue is I am unable to login to the original custom EC2 instance from which I created the AMI. I have tried the decrypted password, as well as the custom password I had originally set. This doesn't seem to be an RDP issue, as neither Powershell Remoting is working (PS Remoting was working before creating the AMI).
Can't the original instance be used again after creating an AMI from it?
ps: I don't have another user account on the original instance. Next time I will remember to create a second Admin account.
This seems to be the expected behaviour. This has more to do with Sysprep than with AWS. The EC2ConfigService even warns us about it - "Sysprep doesn't support retaining the Admin account password for Win Server 2008 onwards". Running Sysprep wipes out the password from the original instance. The recommended way is to create a separate user account with admin privileges and use that to login and manage the system.
RDP is disabled after sysprep.
You have to mount the ebs boot volume on a different server and use ec2Savior program to renable the RDP service in the registry, reattach to your server, and boot.