I am trying to rotate the user access keys & secret keys for all the users, last time when it was required I did it manually but now I want to do it by a rule or automation
I went through some links and found this link
https://github.com/miztiik/serverless-iam-key-sentry
with this link, I tried to use but I was not able to perform the activity, it was always giving me the error, can anyone please or suggest any better way to do it?
As I am new to aws lamda also I am not sure that how my code can be tested?
There are different ways to implements a solution. One common way you can automate this is through a storing the IAM user access keys in Secret Manager for safely storing the keys. Next, you could configure a monthly or 90 days check to rotate the keys utilizing the AWS CLI and store the new keys within AWS Secrets Manager. You could use an SDK of your choice for this.
Related
Just had this question as I not a developer if the question might sounds or silly please don’t judge.
Basically I created and instance on aws and at the end of the process I was issued private SSH key which says keep it save and don’t share it.
Now if I would like to my developers to have access to instance files and do the coding and etc. Do I need to share my private key? Or I need to create public SSH key only for their use?
How can i create it?
Can I delete it this public key and cancel access to those files after the job completion?
Please any help would be very appreciated!!!
One way (since the ssh key you were given can be used on other EC2 instances created from your account) would be for your users to create an ssh key pair and give you their public key. You then add the key to the end of the file ${HOME}/.ssh/authorized_keys. This will give your developers and other users access to only the instances you want them to have access to.
The best way would be to create an account for each person (on each server you want them to have access to) and add their public key to the ${HOME}/.ssh/authorized_keys file for their account. Then give them sudo access as needed.
From your description, you've created an instance via the UI on aws. You got given an SSH Keypair that you can use to connect. The steps to connect is at here : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html ( Step 2 )
You should not share the key with anybody, instead as a root owner you can enable password access to the servers. You can create developer user(s) and give them those credentials with needed access only.
Here are the steps to enable password access.
OR
If you don't want to enable password access then get the public keys from the developers and add them in authorised_keys file.
Here are the steps.
We are using IAM permissions for groups and users with great success for S3, SQS, Redshift, etc. The IAM for S3 in particular gives lovely level of details by path and bucket.
I am bumping into some head scratching when it comes to EC2 permissions.
How do I create a permission that allows an IAM user to:
create up to n instances
do whatever he/she wants on those instances only (terminate / stop / describe)
...and makes it impossible for him/her to affect our other instances (change termination / terminate / etc.) ?
I've been trying Conditions on tag ("Condition": {"StringEquals": {"ec2:ResourceTag/purpose": "test"}}), but that means that all of our tools need to be modified to add that tag at creation time.
Is there a simpler way?
Limiting the number of instances an IAM user can create is not possible (unfortunately). All you have is a limit on the number of instances in the entire account.
Limiting permissions to specific instances is possible, but you have to specify the permissions for each instance-ID, using this format:
arn:aws:ec2:region:account:instance/instance-id
More information is available here:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
I am creating up an AWS Cloud formation template which sets up a set of nodes which must allow keyless ssh login amongst themselves. i.e. One controller must be able to login to all slaves with its private key. The controllers private key is generated dynamically so I do not have access to be able to hard code it into the User-Data of the Template or pass it as a parameter to the template.
Is there a way in Cloud Formation templates to add the controller's public key to slave nodes' authorized keys files?
Is there some other way to use security groups or IAMS to do what is required?
You have to pas the Public key o the master server to the slave nodes in the form of user-data. Cloudformation does support user-data. You may have to figure out the syntax for the same.
In other words, consider it as a simple bash script which will copy the master servers's public key to the slaves. and then you pass this bash script as suer-data so that it gets executed for the 1st time the instance is created.
You will find tons of goggle searches on above information.
I would approach this problem with IAM machine roles. You can grant specific machines certain AWS rights. IAM roles do not apply to ssh access, but to AWS api calls, like s3 bucket access or creating ec2 instances.
Therefore, a solution might look like:
Create a controller machine role which can write to a particular S3 bucket.
Create a slave machine role which can read from that bucket.
Have the controller create an upload a public key into the bucket.
Since you don't know if the controller is created before the slaves, you'll have to have cloud-init set up a cron job every couple minutes that downloads the key from the bucket if it hasn't done so yet.
I am using SecKeyGeneratePair to create a pair of keys, but I cannot figure out how to set access controls. I want to set it so that the second time my app wants to use it, it doesn't ask the user for permission.
It probably too late, but anyway. Check out code sample in Modifying the Access List of an Existing Keychain Item topic of Keychain Services Tasks for Mac OS X manual.
Also, if it was your application that created the keys, it should have access to them.
I lost access via ssh to my amazon ec2 instance and I need to access it NOW due to a problem with my service. I was told that there is a way to access the command-line via web with a java applet but I haven't been able to find it.
Is there a way to access the command-line without the .pem file? terminating/rebooting the instance is not feasible.
AFAIK it is not possible - Amazon does not retain private keys and once your instance has been assigned a keypair, it cannot be reassigned.
You could try to create a new instance with a separate keypair and ssh locally between them, but I don't imagine that that is possible.
If it's an EBS-based instance and you were able to stop it, you could mount the EBS volume to a new instance and copy a new key over; however, based on what you said, I don't believe it's possible. You may need to contact Amazon, but even then, there might not be anything that can be done.
Edit: on the same vein as the 2nd line, if you have other user accounts who have valid login shells, and you have sudo access on one of those accounts, you can do the same as mentioned in the last bit, where you generate a new keypair and upload the private key to ~/.ssh/authorized_keys.