|

Build AWS EC2 Server without SSH Key

ByL Singh

In today’s world when Infrastructure is managed as Code and servers are treated as cattle, there are times we still have to login to servers for checking logs, for auditing or any other troubleshooting reasons. If we have legacy systems then we generally have to connect to servers on regular basis. The most favourable tool to connect to servers is SSH. The SSH is very powerful yet security wise risky tool. There are lot of SSH based vulnerabilities out there that we need to protect ourselves from. In addition to this we also need to safeguard ssh keys from falling into wrong hands. And if we lose our key then generally solution is to recreate the EC2 instance from backup and use a new Key.

AWS let us use AWS SSM service to help us out of evil of SSH. Currently a lot of security engineers advice against the use of SSH to connect to servers. With help of AWS SSM we can connect to EC2 servers using EC2 Connect Web-browser session or AWS SSM CLI or AWS SSM API to avoid use of SSH or SSH key and without opening any inbound traffic and help us get rid of Jump Boxes/Bastion Hosts.

AWS SSM also allows you Powershell based shell access to Windows.

How AWS SSM helps connect to EC2?

In order for you to connect to a EC2 without SSH and and with SSM the below are needed:

  1. SSM agent need to be installed in EC2 instance. AWS Linux servers comes pre-installed with SSM agent. If you are using any other flavour or windows, then check below links:
    Linux: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html
    Windows: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-win.html
  2. The SSM Agent running on the EC2 instances must be able to connect to Session Manager’s public endpoint. In this tutorial we will use Public IP of server and Route to Internet Gateway. You can also set up a PrivateLink connection to allow instances running in private VPCs (without Internet access or a public IP address) to connect to Session Manager.
  3. IAM Instance profile attached to EC2 with trust policy and SSM access as follows:
  Ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles: [ !Ref Ec2InstanceRole ]

  Ec2InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ ec2.amazonaws.com ]
            Action:
              - sts:AssumeRole
      Path: /

Benefits of AWS SSM

We talked about benefits of AWS SSM above briefly. Lets list down more here:

Secure Access – You don’t have to manually set up user accounts, passwords, or SSH keys on the instances and you don’t have to open up any inbound ports. Session Manager communicates with the instances via the SSM Agent across an encrypted tunnel that originates on the instance, and does not require a bastion host.

Access Control – You use IAM policies and users to control access to your instances, and don’t need to distribute SSH keys. You can limit access to a desired time/maintenance window by using IAM’s Date Condition Operators!!

Auditability – Commands and responses can be logged to Amazon CloudWatch and to an S3 bucket. You can arrange to receive an SNS notification when a new session is started.

Interactivity – Commands are executed synchronously in a full interactive bash (Linux) or PowerShell (Windows) environment

Programming and Scripting – In addition to the console access that I will show you in a moment, you can also initiate sessions from the command line (aws ssm ...) or via the Session Manager APIs.

AWS Cloudformation Template – Demo for SSM

Le’s see SSM in action. Please use the below Cloudformation template to deploy a VPC and a EC2 server ready to be connected via SSM.

https://github.com/ld-singh/aws-cloudformation-templates/blob/main/ec2-ssm-noshh/aws-ec2-ssm-nossh-server.yaml

You can use the Default values and there is no need to change unless you have a clash with existing Infrastructure. For example, if you already have a VPC with values given in default you can change CIDR values.

Once this is created, you can see your EC2 instance created with no SSH keys.

You can connect to it by selecting the EC2 instance and clicking on Connect button on top bar.

Once you click you go to Session Manager bar and click Connect button on below.

Once you click on Connect, you will be presented with a shell access in your browser!!

Awesome!! You connected to EC2 shell without using any SSH or keys.

I hope this blog helps you to architect your Infrastructure without SSH and helps you to avoid all the risks of SSH. Happy cloud computing!!

Similar Posts

|

Open Policy Agent (OPA) Gatekeeper – Kubernetes Security Hardening

ByL Singh

In addition to having secure images and secure PODS and encrypted POD to POD communication (Check my other blogs under Guides > Kubernetes Security Hardening), we need a policy based control over the cluster. The few policy based control are listed below to give an idea about policy based control Allow images from certain image…

|

Secure POD to POD communication – Kubernetes Security Hardening

ByL Singh

You can create secure docker images and deploy your pods securely as per below blog posts respectively: Secure Docker Images: https://idlbuzz.com/kubernetes-security-hardening-secure-docker-images/ Secure Pods: https://idlbuzz.com/deploying-secure-pods-kubernetes-security-hardening/ But we still may have security issues if POD to POD communication is not secure. By default POD to POD communication is over http and not encrypted. How to encrypt POD…

|

Deploying Secure Pods – Kubernetes Security Hardening

ByL Singh

We created secure docker images in blog post https://idlbuzz.com/kubernetes-security-hardening-secure-docker-images/ Now we will look into how to deploy secure Pods to a Kubernetes cluster. What is a secure Pod? We need to make sure certain steps are taken to ensure the Pod we are deploying are secure. If we do not then Pods we are deploying…