This is what I am trying to do:
We have IAM in place and each user logs in to the AWS console with his/her respective email address and create the EC2 instance. I being the Administrator, when I login to AWS console, I see a whole bunch of Instance created and many of them are not even utilized. However, I am not able to figure who created those instances.
Question:
Is there a way to map EC2 Instances with the email address of the user who created it? I have thoroghly explored EC2 CLI but it was of no help. Is there a way to do this via SDK? OR did I overlook something?
Thanks.
To keep it simple without having to use an SDK outside of the CLI, you could create the tag "Owner" and have your users tag their instances they create with their name/email. You can then click on the "Show/Hide" button in the EC2 Management Console to add your tag to the other data that is shown in the console. It allows you to filter and sort instances by the value of the tag. This isn't a fail proof solution since it depends on your users to create the tags, but it is simple.
Related
I have an AWS account and I bring someone access to one EC2 instance, all he has is only a pem file and the username and host. So he can connect with ssh without any AWS account.
I want to give him an option to turn on/off the instance. I can do it with AWS-CLI but I use my secret key for it and I don't want to give it to him.
I thought maybe to run a little instance with AWS-CLI with my secret key and enable him to do it with some website run on this little instance such that he will have a UI system via the browser and he will click on the button POWER ON and this is will run the right command with AWS-CLI
Is there any tool I can do it simply?
Thanks
I thought maybe to run a little instance with AWS-CLI with my secret
key and enable him to do it with some website run on this little
instance such that he will have a UI system via the browser and he
will click on the button POWER ON and this is will run the right
command with AWS-CLI Is there any tool I can do it simply?
That is certainly possible, but you would have to write some custom code, build that custom website, etc..
An easier method would be to simply create an IAM user in your AWS account, with only API access, and only give it an IAM policy that lets them start and stop that one instance.
You could create an API Gateway linked to an AWS Lambda function. Then, create a static web page in Amazon S3 that simply contains two links -- one for turning ON the instance, the other for turning OFF the instance.
The user could go to that page and click the appropriate link. This would trigger the AWS Lambda function, which can call StartInstances() or StopInstances() to control the instance.
This would not be a suitable solution for a commercial service because you would need authentication, but it is sufficient for use by a single 'trusted' user.
This is a simple example of how I did it:
we have a Windows EC2 instance created. We have a need to remote desktop into the instance occasionally to execute a PowerShell script that updates Microsoft's Power BI Gateway. This is all implemented in a sandbox environment. We're looking at steps/actions to implement in a production environment. From research, I have found that we need to have a different key pair for each user. I think this makes sense. But, the logistics of implementing this is beyond my knowledge. I have some basic questions that perhaps can help steer me in the right direction:
How do I generate a key pair for each user? Where would these be maintained? How do I assign the key pair by user? Do I need to create a new user in the IAM console?
Is there a way to rotate the key pairs?
An instance can only have a single key pair associated with it at a time. Does this mean that after each use, I should detach my key pair and the next user needs to attach their key pair? This all seems very manual.
This is the first I've had to deal with virtual servers and security management of said server. But, it seems that AWS would offer a service that automates this process?
Thank you.
Use AWS Systems Manager Run Command to automate common admin tasks across your EC2 instances.
When a Windows Amazon EC2 instance is launched, a random Administrator password is generated.
This password is then encrypted using the keypair selected when the instance is launched. You can access it via "Get Windows Password", and supplying the keypair.
Once you login, you are welcome to change the Administrator password or connect the instance to Active Directory.
You can also create additional Windows logins for your other users.
So, your choice is to either "share" a login for whoever needs to run the script, or give them each their own Windows login and their own password.
I also like #jarmod's idea of using the Systems Manager Run Command to execute a script without logging in!
I've outsourced development work to another company.
ATM they have AWS login details and EC2 instance key pair ( root user )
Once they deliver project, I don't want them to have access to either of AWS and/or EC2, how to achieve the same ?
For AWS I can set 2FA and change password
How about EC2 instance ? Their developer still has key pair with him.
I looked into AWS documentation but didn't understand how to manage permission properly.
I'm new to AWS and EC2, please help with this basic queries
You should not allow any user to access your EC2 instance with root key.
Normal practice:
Ask outsource developer to give his public key
Add his public to EC2 instance in authorized keys
Once the project is done to remove his public key from the ec2 instance.
Best practice in case of AWS:
Register instance in OpsWork stack
Ask user for his public key
Add user in the OpsWork stack as he is already AWS user
He will able to access the instance
So once the project, Delete the user from Ops work and AWS, his access will be revoked. In this case you do not need to change anything on instance side, AWS OpsWork will take care of it.
For AWS I can set 2FA and change password
Better to create IAM user for him, once the project is done delete that user.
I have an AMI I made on an account I use for teaching. I would like to copy and use that AMI on my private account. I figured it would just be as easy as downloading from one account and uploading to the other but I can't find a download option (supposedly there are some things available in s3). I tried to edit the permissions and add the account id for the root user of my private account and that didn't work either.
Is it possible to share a private AMI with another user on another management console?
You need to use the modify-image-attribute console command to change the launch permission to add another user ID
Can I fetch the details of the user who created the instance in AWS using
instance-id
ami id
tag details
or anything?
I want to contact the person who created a particular instance under a particular role. How can I achieve this?
You can query CloudTrail logs to find the user who started the instances.
Here is the Python Boto3 script I have created to list all the instances and owner.
https://gist.github.com/sudharsans/39d5eaf8a82b7ccdf8b3230d13ba7d81
You can query the Cloudtrail events, and if you need more derailed info. then you can make use of AWS Config which will give you even granular details