In AWS EC2, we can login to Linux servers using SSH and a key pair (public key/private key pair). The initial login will be to ec2-user and then we can sudo su - root (administrator access).
But for production servers that require secure access, this is not a good option to have for DBAs (database administrators). For example, a production server that is S-OX complaint usually requires some sort of approval before logging in and gaining privileged access (such as sudo su - root access). Firecall IDs help prevent unauthorized access by allowing access only after an approval. But if we have the EC2 key pair we can login directly to the server just with the private key (.ppk file) using SSH thereby bypassing the firecall ID approval process.
This article explains how to disable AWS Linux server access using the EC2 key pair (How to login to AWS Linux servers without the AWS provided SSH keys).
Please make sure you already are able to login to the Linux servers using a different method such as using firecall IDs without the need of using the SSH private key. This alternate method must also contain a login id that gives the ability to access the root operating system user (sudo su - root). This will help yourself avoid getting locked out of the Linux server permanently should something go wrong while performing the commands as part of the solution below. One such different method is to join the Linux servers to your company domain (Active Directory).
"Amazon EC2 Instance Connect provides a simple and secure way to connect to your Linux instances using Secure Shell (SSH). With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) policies and principals to control SSH access to your instances, removing the need to share and manage SSH keys."
Disable existing AWS EC2 key pair (SSH public key)
1) Delete the Key pair from the AWS EC2 web console.
2) Login to the Linux server one last time using the SSH private key of the EC2 key pair. This login will be to ec2-user
3) cd .ssh
4) ls -lrt
5) Remove the SSH public key of the EC2 key pair from the the authorized_keys file.
7) There is no need to delete the SSH private key. It does not matter. The SSH private key (.ppk file) becomes invalidated (useless) once the public key is removed from the authorized_keys value.
1) Install the ec2-instance-connect RPM.
This RPM comes preinstalled if you used one of the following AMIs to launch your instance.
Amazon Linux 2 2.0.20190618 or later
Ubuntu 20.04 or later
A successful installation of this RPM can be verified by the presence of the below two lines in the file /etc/ssh/sshd_config
AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
rpm -qa | grep ec2-instance-connect (It must provide output that confirms that the RPM is present.)
2) Create a new tag for all EC2 instances that you want to login without the AWS EC2 provided SSH key. Note the tag key and value.
3) Configure IAM permissions for EC2 Instance Connect
In AWS IAM, create a policy with the below JSON document.
Replace the region, account-id, tag-key and tag-value above with the actual values.
4) Now attach to this policy to an IAM user group or user. Because of the concept of segregation of duties, this group or user must be used only by Linux administrators who are allowed to access root user (sudo su - root) and not DBAs.
5) Create an access key for the IAM user that got this IAM policy attached (either directly or through an IAM user group). Note the Access key ID and Secret access key values.
6) Install AWS CLI on the client computer. (if not already installed)
7) aws configure (Configure the AWS CLI). Enter the AWS Access Key ID and AWS Secret Access Key of the IAM user that has the above special IAM policy attached to.
8) On the client computer, make sure you have the below utilities. If not install them.
9) Generate a new ssh private and public key. This is not the AWS EC2 key pair. Instead, this can be any ssh private and public key pair and each client computer can login using a different private and public key pair.
ssh-keygen -t rsa -f my_rsa_key
10) Push your SSH public key to the instance
Use the send-ssh-public-key command to push your SSH public key to the instance. If you launched your instance using Amazon Linux 2, the default user name for the AMI is ec2-user. If you launched your instance using Ubuntu, the default user name for the AMI is ubuntu.
--instance-id actual-instance-id \
--availability-zone actual-availability-zone \
--instance-os-user ec2-user \
11) Connect to the instance using your private key
ssh -o "IdentitiesOnly=yes" -i my_rsa_key ec2-user@public-or-private-ip-address-or-dns-name