The problem here is I have a s3 bucket (cross account). I only want the application I deployed to the ec2 instance to access the bucket (through ec2 instance role). But I still want, says User A (without any role to access the s3 bucket) to ssh to the instance to perform some debugging. I definitely don't want User A who can ssh to ec2 to access that S3 bucket. Is there a way to prevent this?
Pretty sure an ec2 role applies to the entire machine, so any user that has login rights would be able to execute requests using the role.
To avoid having to debug locally from the instance, you could setup log shipping and export metric data to cloudwatch logs/metrics. You can also setup AWS SSM Run command to allow execution of specific commands/scripts against the instances. Both CloudWatch and the Run command can be secured with IAM policies to control who has access to what.
Related
I have a client aws account i cannot get access to and he cannot access gmail to change password. He owns an ec2 instance. I have ssh access. If i go in and shut down the server, not able to terminate, what will my monthly charges be. We have the 30g storage im sure is ebs. Owner says its either micro or medium i assume I can figure that out myself with free command
Firstly - if neither of you have access to the account, who does? As suggested in the comments you should contact AWS support to gain access to the account based on your account information.
Secondly, to your question, if the only thing running on the account is one instance with attached EBS that doesn't get any traffic, no snapshots, and no other services deployed, you would only pay for the EBS volume.
Please note that if you have programmatic access with the right privileges you can use the AWS CLI (or SDK) to terminate the instance and the EBS:
terminate-instances
--instance-ids <value>
[--dry-run | --no-dry-run]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html
How to add IAM Role to Running Instance ? I know that that's one is not possible using Console, but is there any alternative ?
You can assign an IAM role to your instance using the following workaround:
Create an AMI for your instance;
Terminate your old instance;
Re-deploy it again from previously created AMI and assing an IAM role during the process.
Assigning an IAM (Identity and Access Management) Role to an Amazon EC2 instance is a way of securely providing rotating credentials to applications running on an EC2 instance. Such roles must be assigned when the instance is first launched.
If the instance you would like to use has already been launched, either:
Launch a new instance ("Launch More Like This") with a Role, or
Create a User in IAM: You will receive an Access Key and Secret Key that can be configured in the instance by using the aws configure command. This is part of the AWS Command-Line Interface (CLI).
See documentation: Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
I am deploying my microservice into an EC2 instance via Mesos. The problem is I am sharing my EC2 instance with other team's microservices. All these microservices deal with difference S3 buckets and we dont want other guys to have access to our buckets. I need to assign IAM role to my container so that only I can access my S3 bucket via microservices deployed in EC2 instance.
We are not using ECS and we deploy using Mesos. Any input or comment is appreciated. Thanks in advance.
There is no native AWS support for this. In the meantime you can use Lyft's metadataproxy (see also the blog post).
Quoting the blog:
We had an idea to build a web service that proxies calls to the metadata service on http://169.254.169.254 and pass through most of the calls to the real metadata service, but capture calls to the IAM endpoints. By capturing the IAM endpoints we can decide which IAM credentials we’ll hand back.
...
To know which IAM roles should be assumed, the metadataproxy has access to the docker socket. When it gets a request, it looks up the container, based on its request IP, finds that container’s environment variables and uses the value of the IAM_ROLE environment variable as the role to assume. It then uses STS to assume the role, caches the credentials in memory (for further requests) and returns them back to the caller. If the credentials cached in memory are set to expire, the proxy will re-assume the credentials.
Do I need to create an EC2 instance in order to remotely connect to my Amazon RDS instance?
I understand that setting up an Amazon RDS instance automagically creates an EC2 instance 'in the background'. But when looking into my EC2 console I don't see that hidden instance so I can't find the details for the public DNS or Elastic IP, neither the EC2 instance key that I need to connect through SSH.
Yes, an RDS instance creates an EC2 instance to run the database but you don't have direct access to it via ssh, which is kind of the point.
RDS is a service that is managed for you and the idea is to hide the implementation details and simply provide an endpoint to connect to from another EC2 instance. You can find the endpoint name in the EC2 console - just use this as the hostname to connect to from your application and you can treat RDS just like any other database.
Amazon need to maintain a level of control over the server in order to provide it as a service and ssh access would interfere with that. There are a few things you miss out on because of this (e.g. direct access to DB files) but these are far outweighed by having Amazon manage upgrades, backups and replication for you.
How set an amazon ec2 user to have access to a specific instance only?
Can the user to whom I want to give access to a specific instance of my EC2 account be using a separate amazon ec2 account from mine?