I'm indeed new to AWS and EC2, but I'm going to rip my hair out on what should be a simple process. I have created several server instances. I can ssh into them with my pem key just fine. However, when I create a new user through IAM, they can create a keypair that won't allow them to access any of the EC2 instances through SSH. I can give them full access to EC2, and they still can't login to ssh. What's the deal here? Do I actually need to login to each server and create and delete users? What is the most simple way to create an additional user and then revoke/suspend access? I'm going to rip my hair out.
IAM is used to give permissions to the AWS APIs. ssh on your server isn't an AWS API. Create ssh key pairs for your users and add the public keys to the .ssh/authorized_keys file
Related
I've outsourced development work to another company.
ATM they have AWS login details and EC2 instance key pair ( root user )
Once they deliver project, I don't want them to have access to either of AWS and/or EC2, how to achieve the same ?
For AWS I can set 2FA and change password
How about EC2 instance ? Their developer still has key pair with him.
I looked into AWS documentation but didn't understand how to manage permission properly.
I'm new to AWS and EC2, please help with this basic queries
You should not allow any user to access your EC2 instance with root key.
Normal practice:
Ask outsource developer to give his public key
Add his public to EC2 instance in authorized keys
Once the project is done to remove his public key from the ec2 instance.
Best practice in case of AWS:
Register instance in OpsWork stack
Ask user for his public key
Add user in the OpsWork stack as he is already AWS user
He will able to access the instance
So once the project, Delete the user from Ops work and AWS, his access will be revoked. In this case you do not need to change anything on instance side, AWS OpsWork will take care of it.
For AWS I can set 2FA and change password
Better to create IAM user for him, once the project is done delete that user.
My team has some EC2 instances and we all need SSH access to them. These instances were created with one IAM user and the credentials were assigned to that user. We do have the keys but how are you suppose to give SSH access to those instances to several users?
The only way I have managed to accomplish that is by securely sharing those keys but it feels like it's the wrong way to do it. So, what are the best practices regarding the access to EC2 instances to several users?
Take a look at the steps covered in the AWS Docs for managing user accounts on your EC2 instance.
The basic idea here is to add users directly to the instance itself (via sudo adduser).
Once each of your users has an account and SSH key stored locally on the EC2 instance, they should be able to SSH into it as expected.
An option might be to create your EC2 instances as part of an AWS OpsWorks Stack.
AWS OpsWorks is a configuration management service that helps you configure and operate applications in a cloud enterprise by using Puppet or Chef
The advantage of using this is that Opsworks manages SSH key access to instances for multiple users, while allowing each user to manage their own SSH private keys. according to the docs:
For Linux stacks, AWS OpsWorks Stacks provides a simpler and more flexible way to manage SSH key pairs.
Each user registers a personal key pair.
They store the private key locally and register the public key with AWS OpsWorks Stacks, as described in Registering an IAM User's Public SSH Key.
When you set user permissions for a stack, you specify which users should have SSH access to the stack's instances.
AWS OpsWorks Stacks automatically creates a system user on the stack's instances for each authorized user and installs their public key. The user can then use the corresponding private key to log in, as described in Logging In with SSH.
Additionally, if you want to convert your existing setup:
You can also incorporate Linux-based computing resources into a stack that was created outside of AWS OpsWorks Stacks.
Amazon EC2 instances that you created directly by using the Amazon EC2 console, CLI, or API.
I am adding multiple servers on AWS and I want to have a better way of managing SSH keys than I have in the past. I think AWS has a service built for this, through their IAM, management system, but I am not sure.
Is it possible to store one key in AWS and have all of the servers use that key for my account? For example, if we have three users, I would like to give all of them access to the servers with their own keys - but they wouldn't have to setup a key on each server as we normally would. If one of those users left the organization, I would like to disable their account to ensure the server isn't SSH'd into.
Is that possible, or am I misunderstanding AWS' key management possibilities?
No, it is not possible to control SSH keys with IAM. In a very broad sense, SSH key is for shell access, IAM is for AWS API access.
There may be other ways to do what you are trying to accomplish. What I do is write few ansible scripts to automate this. Ansible makes it very simple to do these tasks using Ansible's ec2 module
Script 1: Launch an instance, add the users and their public keys
Script 2: Delete the user's account on all machines or move/remove the user's authorized_keys file
Like I said Ansible knows the inventory and deletes/disables the user on all machines.
I have an EC2 production server running and i have a key.
Now we have some developers that need access to the server, but for security reasons i don't want to share our private key to the server because we will loose track of who has access to the server.
I have searched in amazons documentation for answers to this, but i can't find any solution there, i have also searched the stack overflow but can't find much other than people who lost there key pair.
Is there any way to make a temporary key for the EC2 instance? or any other way i can grant them temporary access to the server?
The same account cannot be shared by using different keys. The only way to give access is to create a new user and a new keypair. Once you decide the access has to be revoked, you have to delete that user. Adding and deleting an user is explained here: Managing User Accounts on Your Linux Instance
Keypairs are used to grant access to Amazon EC2 instances. They are public/private keypairs, typically randomly generated by EC2 but existing keypairs (or more specifically, the public half of the keypair) can be imported into EC2.
They are used as follows:
Windows: When starting Windows from a standard Windows AMI, a utility called Ec2Config randomly generates an Administrator password, encrypts it using the public half of the keypair, and passes it back through the System Log. Users must decrypt it using their private key. They can then login to Windows.
Linux: When starting Linux from a standard Linux AMI, the public half of the keypair is copied to .ssh/authorized_keys. Users can login via ssh by providing their private key.
(The reference to a 'standard' AMI is intentional -- AMIs created by other people will not necessarily have these utilities installed.)
In both situations, it is advisable that users then modify their instance to use their normal security standards. For example, Windows users should change the Administrator password, create additional users or, preferably, attach the instance to an Active Directory domain. Linux users should create additional users and install their standard keypairs in the authorized_keys file.
There should be no continuing need to use keypairs after the initial launch of the EC2 instance. Users should be using their own Username and password/keypair. It is not good practice to keep using the same password/keypair as initially created when the instance is launched.
Just think of the Amazon EC2 server as a "normal" server. What security would you normally put on a server to ensure that authorized users can login, but unauthorized users cannot? Go ahead and do the same thing with EC2.
I have launched a linux server on AWS, there is another developer and i want him to work on the server, but i don't want to give .pem file to him, what should i do?
he should be able to connect to server via a console and deploy files and configure on http server. when the jobs done i want to take his priviliges back.
Thanks for your interest.
You should add his public ssh key to /home/ubuntu/.ssh/authorized_keys and that's basically it.
He will be able to login via SSH using corresponding private key.
This have nothing to do with AMI though.
There is a solution here, new user and a new key/pair for that user can be created on server machine. new user can access to server with the new key.
Another anwers about same topic is here