I am adding multiple servers on AWS and I want to have a better way of managing SSH keys than I have in the past. I think AWS has a service built for this, through their IAM, management system, but I am not sure.
Is it possible to store one key in AWS and have all of the servers use that key for my account? For example, if we have three users, I would like to give all of them access to the servers with their own keys - but they wouldn't have to setup a key on each server as we normally would. If one of those users left the organization, I would like to disable their account to ensure the server isn't SSH'd into.
Is that possible, or am I misunderstanding AWS' key management possibilities?
No, it is not possible to control SSH keys with IAM. In a very broad sense, SSH key is for shell access, IAM is for AWS API access.
There may be other ways to do what you are trying to accomplish. What I do is write few ansible scripts to automate this. Ansible makes it very simple to do these tasks using Ansible's ec2 module
Script 1: Launch an instance, add the users and their public keys
Script 2: Delete the user's account on all machines or move/remove the user's authorized_keys file
Like I said Ansible knows the inventory and deletes/disables the user on all machines.
Related
I have an AWS account and I bring someone access to one EC2 instance, all he has is only a pem file and the username and host. So he can connect with ssh without any AWS account.
I want to give him an option to turn on/off the instance. I can do it with AWS-CLI but I use my secret key for it and I don't want to give it to him.
I thought maybe to run a little instance with AWS-CLI with my secret key and enable him to do it with some website run on this little instance such that he will have a UI system via the browser and he will click on the button POWER ON and this is will run the right command with AWS-CLI
Is there any tool I can do it simply?
Thanks
I thought maybe to run a little instance with AWS-CLI with my secret
key and enable him to do it with some website run on this little
instance such that he will have a UI system via the browser and he
will click on the button POWER ON and this is will run the right
command with AWS-CLI Is there any tool I can do it simply?
That is certainly possible, but you would have to write some custom code, build that custom website, etc..
An easier method would be to simply create an IAM user in your AWS account, with only API access, and only give it an IAM policy that lets them start and stop that one instance.
You could create an API Gateway linked to an AWS Lambda function. Then, create a static web page in Amazon S3 that simply contains two links -- one for turning ON the instance, the other for turning OFF the instance.
The user could go to that page and click the appropriate link. This would trigger the AWS Lambda function, which can call StartInstances() or StopInstances() to control the instance.
This would not be a suitable solution for a commercial service because you would need authentication, but it is sufficient for use by a single 'trusted' user.
This is a simple example of how I did it:
we have a Windows EC2 instance created. We have a need to remote desktop into the instance occasionally to execute a PowerShell script that updates Microsoft's Power BI Gateway. This is all implemented in a sandbox environment. We're looking at steps/actions to implement in a production environment. From research, I have found that we need to have a different key pair for each user. I think this makes sense. But, the logistics of implementing this is beyond my knowledge. I have some basic questions that perhaps can help steer me in the right direction:
How do I generate a key pair for each user? Where would these be maintained? How do I assign the key pair by user? Do I need to create a new user in the IAM console?
Is there a way to rotate the key pairs?
An instance can only have a single key pair associated with it at a time. Does this mean that after each use, I should detach my key pair and the next user needs to attach their key pair? This all seems very manual.
This is the first I've had to deal with virtual servers and security management of said server. But, it seems that AWS would offer a service that automates this process?
Thank you.
Use AWS Systems Manager Run Command to automate common admin tasks across your EC2 instances.
When a Windows Amazon EC2 instance is launched, a random Administrator password is generated.
This password is then encrypted using the keypair selected when the instance is launched. You can access it via "Get Windows Password", and supplying the keypair.
Once you login, you are welcome to change the Administrator password or connect the instance to Active Directory.
You can also create additional Windows logins for your other users.
So, your choice is to either "share" a login for whoever needs to run the script, or give them each their own Windows login and their own password.
I also like #jarmod's idea of using the Systems Manager Run Command to execute a script without logging in!
My team has some EC2 instances and we all need SSH access to them. These instances were created with one IAM user and the credentials were assigned to that user. We do have the keys but how are you suppose to give SSH access to those instances to several users?
The only way I have managed to accomplish that is by securely sharing those keys but it feels like it's the wrong way to do it. So, what are the best practices regarding the access to EC2 instances to several users?
Take a look at the steps covered in the AWS Docs for managing user accounts on your EC2 instance.
The basic idea here is to add users directly to the instance itself (via sudo adduser).
Once each of your users has an account and SSH key stored locally on the EC2 instance, they should be able to SSH into it as expected.
An option might be to create your EC2 instances as part of an AWS OpsWorks Stack.
AWS OpsWorks is a configuration management service that helps you configure and operate applications in a cloud enterprise by using Puppet or Chef
The advantage of using this is that Opsworks manages SSH key access to instances for multiple users, while allowing each user to manage their own SSH private keys. according to the docs:
For Linux stacks, AWS OpsWorks Stacks provides a simpler and more flexible way to manage SSH key pairs.
Each user registers a personal key pair.
They store the private key locally and register the public key with AWS OpsWorks Stacks, as described in Registering an IAM User's Public SSH Key.
When you set user permissions for a stack, you specify which users should have SSH access to the stack's instances.
AWS OpsWorks Stacks automatically creates a system user on the stack's instances for each authorized user and installs their public key. The user can then use the corresponding private key to log in, as described in Logging In with SSH.
Additionally, if you want to convert your existing setup:
You can also incorporate Linux-based computing resources into a stack that was created outside of AWS OpsWorks Stacks.
Amazon EC2 instances that you created directly by using the Amazon EC2 console, CLI, or API.
I'm indeed new to AWS and EC2, but I'm going to rip my hair out on what should be a simple process. I have created several server instances. I can ssh into them with my pem key just fine. However, when I create a new user through IAM, they can create a keypair that won't allow them to access any of the EC2 instances through SSH. I can give them full access to EC2, and they still can't login to ssh. What's the deal here? Do I actually need to login to each server and create and delete users? What is the most simple way to create an additional user and then revoke/suspend access? I'm going to rip my hair out.
IAM is used to give permissions to the AWS APIs. ssh on your server isn't an AWS API. Create ssh key pairs for your users and add the public keys to the .ssh/authorized_keys file
I have an EC2 production server running and i have a key.
Now we have some developers that need access to the server, but for security reasons i don't want to share our private key to the server because we will loose track of who has access to the server.
I have searched in amazons documentation for answers to this, but i can't find any solution there, i have also searched the stack overflow but can't find much other than people who lost there key pair.
Is there any way to make a temporary key for the EC2 instance? or any other way i can grant them temporary access to the server?
The same account cannot be shared by using different keys. The only way to give access is to create a new user and a new keypair. Once you decide the access has to be revoked, you have to delete that user. Adding and deleting an user is explained here: Managing User Accounts on Your Linux Instance
Keypairs are used to grant access to Amazon EC2 instances. They are public/private keypairs, typically randomly generated by EC2 but existing keypairs (or more specifically, the public half of the keypair) can be imported into EC2.
They are used as follows:
Windows: When starting Windows from a standard Windows AMI, a utility called Ec2Config randomly generates an Administrator password, encrypts it using the public half of the keypair, and passes it back through the System Log. Users must decrypt it using their private key. They can then login to Windows.
Linux: When starting Linux from a standard Linux AMI, the public half of the keypair is copied to .ssh/authorized_keys. Users can login via ssh by providing their private key.
(The reference to a 'standard' AMI is intentional -- AMIs created by other people will not necessarily have these utilities installed.)
In both situations, it is advisable that users then modify their instance to use their normal security standards. For example, Windows users should change the Administrator password, create additional users or, preferably, attach the instance to an Active Directory domain. Linux users should create additional users and install their standard keypairs in the authorized_keys file.
There should be no continuing need to use keypairs after the initial launch of the EC2 instance. Users should be using their own Username and password/keypair. It is not good practice to keep using the same password/keypair as initially created when the instance is launched.
Just think of the Amazon EC2 server as a "normal" server. What security would you normally put on a server to ensure that authorized users can login, but unauthorized users cannot? Go ahead and do the same thing with EC2.