SSH access through IAM with EC2 instance connect.
Inroder to avoid giving the PEM key to the user or employee and adding the user or employee key in the servers, Amazon introduced Amazon EC2 instance connect. Whenever employee leaves the company simply delete the IAM user, no need to go to each server, search for his or her key and delete it.
Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH).
With EC2 Instance Connect, you can control SSH access to your instances using AWS Identity and Access Management (IAM) policies as well as audit connection requests with AWS CloudTrail events. In addition, you can leverage your existing SSH keys or further enhance your security posture by generating one-time use SSH keys each time an authorized user connects. Instance Connect works with any SSH client, or you can easily connect to your instances from a new browser-based SSH experience in the EC2 console.
The SSH public keys are only available for one-time use for 60 seconds in the instance metadata. To connect to the instance successfully, you must connect using SSH within this time window. Because the keys expire, there is no need to track or manage these keys directly, as you did previously.
Please follow the below steps to setup the Ec2 instance connect.
- Connect to the instance
- Run sudo apt-get update
- Install EC2-instance connect with the below command
sudo apt-get install ec2-instance-connect - Login to AWS and navigate to IAM.
- Select a user and attach the existing policy which gives access to all your instances in your account. Please find the example policies below. If you want to give access to only particular instances, you can do it. Below one is for all the instances.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2-instance-connect:SendSSHPublicKey" ], "Resource": [ "arn:aws:ec2:$REGION:$ACCOUNTID:instance/*" ], "Condition": { "StringEquals": { "ec2:osuser": "ec2-user" } } } ] }
Below one is for particular instances. You need to create the custom policy or inline policy for this.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2-instance-connect:SendSSHPublicKey", "Resource": [ "arn:aws:ec2:youregion:youraccountid:instance/i-01234567instanceid", "arn:aws:ec2:youregion:youraccountid:instance/i-34595ggginstacedid1", "arn:aws:ec2:youregion:youraccountid:instance/i-instaceid2", "arn:aws:ec2:youregion:youraccountid:instance/i-instance-id-3" ], "Condition": { "StringEquals": { "ec2:osuser": "ubuntu" } } } ] }
Replace the region and account Id with yours. Ec2-osuser will depend on your OS.For example, user will be ubuntu for ubuntu OS and ec2-user will be for Amazon Linux.
Now ask your employee or user to follow the below steps.
Generate the new private and public keys mynew_key and mynew_key.pub with the below command
ssh-keygen -t rsa -f mynew_key
Use the following AWS CLI command to authorize the user and push the public key to the instance using the send-ssh-public-key command. To support this, you need the latest version of the AWS CLI.
aws ec2-instance-connect send-ssh-public-key –region us-east-1 –instance-id i-0989ec3292613a4f9 –availability-zone us-east-1f –instance-os-user ec2-user –ssh-public-key file://mynew_key.pub
After authentication, the public key is made available to the instance through the instance metadata for 60 seconds. During this time, connect to the instance using the associated private key
ssh -i mynew_key ec2-user@ec2-34-204-200-76.compute-1.amazonaws.com
You will be to login now. If for some reason you don’t connect within that 60-second window, you see the following error:
ssh -i mynew_key ec2-user@ec2-34-204-200-76.compute-1.amazonaws.com Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Run the send-ssh-public-key command again to connect using SSH.