I have an EC2 production server running and i have a key.
Now we have some developers that need access to the server, but for security reasons i don't want to share our private key to the server because we will loose track of who has access to the server.
I have searched in amazons documentation for answers to this, but i can't find any solution there, i have also searched the stack overflow but can't find much other than people who lost there key pair.
Is there any way to make a temporary key for the EC2 instance? or any other way i can grant them temporary access to the server?
The same account cannot be shared by using different keys. The only way to give access is to create a new user and a new keypair. Once you decide the access has to be revoked, you have to delete that user. Adding and deleting an user is explained here: Managing User Accounts on Your Linux Instance
Keypairs are used to grant access to Amazon EC2 instances. They are public/private keypairs, typically randomly generated by EC2 but existing keypairs (or more specifically, the public half of the keypair) can be imported into EC2.
They are used as follows:
Windows: When starting Windows from a standard Windows AMI, a utility called Ec2Config randomly generates an Administrator password, encrypts it using the public half of the keypair, and passes it back through the System Log. Users must decrypt it using their private key. They can then login to Windows.
Linux: When starting Linux from a standard Linux AMI, the public half of the keypair is copied to .ssh/authorized_keys. Users can login via ssh by providing their private key.
(The reference to a 'standard' AMI is intentional -- AMIs created by other people will not necessarily have these utilities installed.)
In both situations, it is advisable that users then modify their instance to use their normal security standards. For example, Windows users should change the Administrator password, create additional users or, preferably, attach the instance to an Active Directory domain. Linux users should create additional users and install their standard keypairs in the authorized_keys file.
There should be no continuing need to use keypairs after the initial launch of the EC2 instance. Users should be using their own Username and password/keypair. It is not good practice to keep using the same password/keypair as initially created when the instance is launched.
Just think of the Amazon EC2 server as a "normal" server. What security would you normally put on a server to ensure that authorized users can login, but unauthorized users cannot? Go ahead and do the same thing with EC2.
Related
Launch an EC2 instance
Create a separate key-pair for SSH access
Provide this key-pair to few developers (say dev1, dev2, dev3)
dev3 leaves the company
How to revoke permissions for a dev3 user in such a case
When SSH is used to connect to a Linux computer, a private keypair is provided.
The Linux system will then check in the user's home directory for keys that are authorized to login. For example, if the user is ec2-user, it will look in /home/ec2-user/.ssh/authorized_keys.
If the matching public keypair is found, then the user is permitted to login.
Therefore, the recommended process is:
Each user should generate their own keypair. They can do this in the EC2 management console, or on the command line using ssh-keygen. They should keep the private keypair to themselves, but provide an Admin with the public keypair. This is done to ensure that nobody else has ever seen the private keypair (it's like a password).
The public keypair should be copied to Linux computer and added to the appropriate user's ~/.ssh/authorized_keys file. This could be a shared user like ec2-user, or it could be a separate login for each user.
If somebody leaves the company, simply remove their keypair from the authorized_keys file.
Since you have been using a shared keypair, you should remove that keypair immediately. Then, ask authorized users to create their own keypair, provide it to you, and then put them in the authorized_keys file.
we have a Windows EC2 instance created. We have a need to remote desktop into the instance occasionally to execute a PowerShell script that updates Microsoft's Power BI Gateway. This is all implemented in a sandbox environment. We're looking at steps/actions to implement in a production environment. From research, I have found that we need to have a different key pair for each user. I think this makes sense. But, the logistics of implementing this is beyond my knowledge. I have some basic questions that perhaps can help steer me in the right direction:
How do I generate a key pair for each user? Where would these be maintained? How do I assign the key pair by user? Do I need to create a new user in the IAM console?
Is there a way to rotate the key pairs?
An instance can only have a single key pair associated with it at a time. Does this mean that after each use, I should detach my key pair and the next user needs to attach their key pair? This all seems very manual.
This is the first I've had to deal with virtual servers and security management of said server. But, it seems that AWS would offer a service that automates this process?
Thank you.
Use AWS Systems Manager Run Command to automate common admin tasks across your EC2 instances.
When a Windows Amazon EC2 instance is launched, a random Administrator password is generated.
This password is then encrypted using the keypair selected when the instance is launched. You can access it via "Get Windows Password", and supplying the keypair.
Once you login, you are welcome to change the Administrator password or connect the instance to Active Directory.
You can also create additional Windows logins for your other users.
So, your choice is to either "share" a login for whoever needs to run the script, or give them each their own Windows login and their own password.
I also like #jarmod's idea of using the Systems Manager Run Command to execute a script without logging in!
In the AWS EC2 console/service, you are able to view several key pairs - what exactly is the purpose of these key pairs? Are they relevant to the ec2 instances or the rds?
Keypairs are not actually related to AWS or Amazon EC2. They are related to Linux.
When using Linux utilities like ssh and scp, keypairs are used to authenticate users. For example, if you use this command:
ssh -i key.pem ec2-user#IP-ADDRESS
The receiving Linux operating system will look in the /home/ec2-user/.ssh/authorized_keys file. It will check whether the private keypair supplied in key.pem matches a public keypair in that file. If they match, then the connection is permitted.
To make this process simpler, there is some software installed in Amazon Linux that will accept a nominated keypair and install the public half in the the authorized_keys file. This makes it easy to initially login to the instance.
You are then welcome to modify the contents of the authorized_keys file to add/remove any keypairs you wish. You can also create new users on the operating system and add appropriate keypairs to their authorized_keys file.
Common corporate security practices involve each staff member generating their own keypair (so only they have the private keypair), then providing the public half of the keypair to the IT department. Whenever access is requested to a particular Linux computer, the IT people can add their public keypair in the appropriate location. This then grants the staff member access to the computer.
The Amazon EC2 service provides an easy way to generate keys and it will also keep the public half of the keypair, which can be used to add keys when an instance is launched. However, you do not need to keep these keypairs! If you prefer to manage the keypairs yourself (as suggested above), then you do not need to keep these in AWS beyond the initial launch of the instance.
Amazon RDS does not allow users to connect via SSH, so keypairs are not used with Amazon RDS.
Bottom line: Keypairs are used by Linux computers to authenticate users.
From AWS documentation:
Amazon EC2 uses public key cryptography to encrypt and decrypt login information. Public key cryptography uses a public key to encrypt a piece of data, and then the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair. Public key cryptography enables you to securely access your instances using a private key instead of a password.
When you launch an instance, you specify the key pair. You can specify an existing key pair or a new key pair that you create at launch. At boot time, the public key content is placed on the instance in an entry within ~/.ssh/authorized_keys. To log in to your instance, you must specify the private key when you connect to the instance.
So, we can see what the purpose of the key pair is. It is used to ensure safe login and connection to your EC2 instance.
I have two EC2 instances in same subnet but I when I am trying to ssh from one instance to another I am getting publickey denied message, it does not prompt password
[root#ip-10-0-21-156 ~]# ssh testuser#10.0.21.170
Permission denied (publickey).
By default, EC2 instances are configured to provide SSH authentication via public/private keys. So, just like you needed a private key (you likely downloaded the .pem file when you created the IAM keypair) installed on your local computer in order to SSH into the instance, you also need a private key installed on the instance in order to SSH from that instance into another instance.
What you didn't see behind the scenes was that when you launched the instance and specified the key-pair name, EC2 let you download the private key (.pem file), automatically created the user on the instance (e.g. on the Ubuntu AMI, the username is 'ubuntu' and on the Amazon Linux AMI, the username is 'ec2-user') AND it put the public key that matches the private key into the ~/.ssh/authorized_keys file. All of that needs to happen before you can SSH into an instance.
So, assuming you launched the two instances with the same keypair, in order to SSH from instance A to instance B, everything has been done for you EXCEPT for putting the private key (the .pem file) into the ~/.ssh directory. AWS considers keeping the private key on the instance a security risk and therefore does not do it automatically. So, simply put the private key into the .ssh directory on instance A and then add it to your keyring or you can specify the key in the ssh command like so:
ssh -i ~/.ssh/PRIVATE_KEY.pem USERNAME#INSTANCE_B_LOCAL_IP
All that said, it's generally a bad idea to keep private keys for other instances on an EC2 instance and if you find yourself needing to do that, you should likely rethink your architecture for whatever it is your doing (i.e. there are probably better ways of doing it).
Additionally, you really shouldn't be using the EC2 created user account (i.e. ubuntu# or ec2-user#) for normal day to day stuff or even to perform maintenance or other sysadmin work. You should really create your own account, because the EC2 created account is essentially a root account.
AWS recommends continuing to use public/private key authentication for all accounts, however you could switch to use password-based authentication and then not need to worry about the keys. This is inherently less secure than using key-based authentication, however given strict password requirements, you could increase security.
The only thing you will need to do when creating additional accounts (either password-based or key-based), is to make sure your personalized account has sudo access so you can sudo to do things that require root access. In Ubuntu, you can do this by adding the following line to the /etc/sudoers.d/90-cloud-init-users file:
USERNAME ALL=(ALL) NOPASSWD:ALL
While you're there, consider disabling the sudo access for the EC2 created username. Even though no one else will have the key, everyone will know that there is an ubuntu account that has sudo access. Just like with passwords, knowing the username is a substantial part of a hackers job.
Hope this helps.
I am adding multiple servers on AWS and I want to have a better way of managing SSH keys than I have in the past. I think AWS has a service built for this, through their IAM, management system, but I am not sure.
Is it possible to store one key in AWS and have all of the servers use that key for my account? For example, if we have three users, I would like to give all of them access to the servers with their own keys - but they wouldn't have to setup a key on each server as we normally would. If one of those users left the organization, I would like to disable their account to ensure the server isn't SSH'd into.
Is that possible, or am I misunderstanding AWS' key management possibilities?
No, it is not possible to control SSH keys with IAM. In a very broad sense, SSH key is for shell access, IAM is for AWS API access.
There may be other ways to do what you are trying to accomplish. What I do is write few ansible scripts to automate this. Ansible makes it very simple to do these tasks using Ansible's ec2 module
Script 1: Launch an instance, add the users and their public keys
Script 2: Delete the user's account on all machines or move/remove the user's authorized_keys file
Like I said Ansible knows the inventory and deletes/disables the user on all machines.