Sunday, October 17, 2021

How to login to AWS Linux servers without EC2 key pair

Introduction

In AWS EC2, we can login to Linux servers using SSH and a key pair (public key/private key pair). The initial login will be to ec2-user and then we can sudo su - root (administrator access).

But for production servers that require secure access, this is not a good option to have for DBAs (database administrators). For example, a production server that is S-OX complaint usually requires some sort of approval before logging in and gaining privileged access (such as sudo su - root access). Firecall IDs help prevent unauthorized access by allowing access only after an approval.  But if we have the EC2 key pair we can login directly to the server just with the private key (.ppk file) using SSH thereby bypassing the firecall ID approval process.

This article explains how to disable AWS Linux server access using the EC2 key pair (How to login to AWS Linux servers without the AWS provided SSH keys). 

Important Note

Please make sure you already are able to login to the Linux servers using a different method such as using firecall IDs without the need of using the SSH private key. This alternate method must also contain a login id that gives the ability to access the root operating system user (sudo su - root). This will help yourself avoid getting locked out of the Linux server permanently should something go wrong while performing the commands as part of the solution below. One such different method is to join the Linux servers to your company domain (Active Directory).

Solution

As per https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html    

"Amazon EC2 Instance Connect provides a simple and secure way to connect to your Linux instances using Secure Shell (SSH). With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) policies and principals to control SSH access to your instances, removing the need to share and manage SSH keys."

Disable existing AWS EC2 key pair (SSH public key)

1) Delete the Key pair from the AWS EC2 web console. 

2) Login to the Linux server one last time using the SSH private key of the EC2 key pair. This login will be to ec2-user

3) cd .ssh

4) ls -lrt

5) Remove the SSH public key of the EC2 key pair from the the authorized_keys file.

6) exit

7) There is no need to delete the SSH private key. It does not matter. The SSH private key (.ppk file) becomes invalidated (useless) once the public key is removed from the authorized_keys value.

Prerequisites 

1) Install the ec2-instance-connect RPM. 

This RPM comes preinstalled if you used one of the following AMIs to launch your instance.

Amazon Linux 2 2.0.20190618 or later
Ubuntu 20.04 or later


A successful installation of this RPM can be verified by the presence of the below two lines in the file /etc/ssh/sshd_config


AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect

rpm -qa | grep ec2-instance-connect (It must provide output that confirms that the RPM is present.)

2) Create a new tag for all EC2 instances that you want to login without the AWS EC2 provided SSH key. Note the tag key and value.

3) Configure IAM permissions for EC2 Instance Connect

In AWS IAM, create a policy with the below JSON document.

 

 


 

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"ec2-instance-connect:SendSSHPublicKey",
         "Resource": "arn:aws:ec2:region:account-id:instance/*",
         "Condition":{
            "StringEquals":{
               "aws:ResourceTag/tag-key":"tag-value"
            }
         }
      },
      {
        "Effect": "Allow",
        "Action": "ec2:DescribeInstances",
        "Resource": "*"
      }
   ]
}

Replace the region, account-id, tag-key and tag-value above with the actual values.

4) Now attach to this policy to an IAM user group or user.  Because of the concept of segregation of duties, this group or user must be used only by Linux administrators who are allowed to access root user (sudo su - root) and not DBAs.

5) Create an access key for the IAM user that got this IAM policy attached (either directly or through an IAM user group). Note the Access key ID and Secret access key values.

6) Install AWS CLI on the client computer. (if not already installed)

7) aws configure (Configure the AWS CLI). Enter the AWS Access Key ID and AWS Secret Access Key of the IAM user that has the above special IAM policy attached to.

8) On the client computer, make sure you have the below utilities. If not install them.

ssh-keygen

ssh

9) Generate a new ssh private and public key. This is not the AWS EC2 key pair. Instead, this can be any ssh private and public key pair and each client computer can login using a different private and public key pair.

ssh-keygen -t rsa -f my_rsa_key

10) Push your SSH public key to the instance

Use the send-ssh-public-key command to push your SSH public key to the instance. If you launched your instance using Amazon Linux 2, the default user name for the AMI is ec2-user. If you launched your instance using Ubuntu, the default user name for the AMI is ubuntu.

aws ec2-instance-connect send-ssh-public-key \
--instance-id actual-instance-id \
--availability-zone actual-availability-zone \
--instance-os-user ec2-user \
--ssh-public-key file://my_rsa_key.pub 
 

11) Connect to the instance using your private key

 

Use the ssh command to connect to the instance using the private key before the public key is removed 
from the instance metadata (you have 60 seconds before it is removed). Specify the private key that 
corresponds to the public key, the default user name for the AMI that you used to launch your instance,
and the instance's public DNS name or public ip address(if connecting over a private network, specify 
the private DNS name or IP address) 

ssh -o "IdentitiesOnly=yes" -i my_rsa_key ec2-user@public-or-private-ip-address-or-dns-name


Conclusion

 

This approach helps anyone login to the AWS Linux EC2 instances with a user generated SSH public 
private key. There are only 60 seconds after you push your SSH public key and before you connect to  
the Linux server using your private key.

References

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html

Related Posts Plugin for WordPress, Blogger...