Just had this question as I not a developer if the question might sounds or silly please don’t judge.
Basically I created and instance on aws and at the end of the process I was issued private SSH key which says keep it save and don’t share it.
Now if I would like to my developers to have access to instance files and do the coding and etc. Do I need to share my private key? Or I need to create public SSH key only for their use?
How can i create it?
Can I delete it this public key and cancel access to those files after the job completion?
Please any help would be very appreciated!!!
One way (since the ssh key you were given can be used on other EC2 instances created from your account) would be for your users to create an ssh key pair and give you their public key. You then add the key to the end of the file ${HOME}/.ssh/authorized_keys. This will give your developers and other users access to only the instances you want them to have access to.
The best way would be to create an account for each person (on each server you want them to have access to) and add their public key to the ${HOME}/.ssh/authorized_keys file for their account. Then give them sudo access as needed.
From your description, you've created an instance via the UI on aws. You got given an SSH Keypair that you can use to connect. The steps to connect is at here : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html ( Step 2 )
You should not share the key with anybody, instead as a root owner you can enable password access to the servers. You can create developer user(s) and give them those credentials with needed access only.
Here are the steps to enable password access.
OR
If you don't want to enable password access then get the public keys from the developers and add them in authorised_keys file.
Here are the steps.
Related
I haven't logged on to my EC2 recently in a few months. Last time I did, it seems like the RDP file that I downloaded had the password in it. That laptop died.
Today, it seems like AWS/EC2 has changed how things work. I'm able to download the RDP file, but it is prompting for a password. When I try to decrypt the password, it wants me to paste or browse to a file on my disk, which I don't have.
Is there a way to re-download my key info? On security then "Key Pairs", I see the key for this server. Can I download that to my disk, or open it somehow?
I see these steps, but they look overwhelming, i.e. I don't have time for that now; I have real work to do:
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword_EC2Config.html
I was able to create a new key pair, but not sure if I can associate it with the instance.
When I click "Get Password" this screen appears:
UPDATE 1: I did find my .pem file, so I was able to use that to logon.
Had I not found it, what would I do?
UPDATE 1: I did find my .pem file, so I was able to use that to logon. Had I not found it, what would I do?
Not much really! This is by design. AWS doesn't store your encryption key, and this prevents AWS personnel to access your instance. That's why you get such an ominous warning when pem file is generated: this is your one and only opportunity to see it - don't lose it.
That said, there are several however.
If you changed your Windows password in windows, or created a new AMI and launched a new instance from it - the pem file won't really help. You can probably create 2 administrator accounts; so if one forgets their password, you can reset it with another one.
Second - if your EBS is not encrypted, you can detach it, launch another instance, and attach EBS to new instance. You won't get your instance back, but you will get the data from that drive.
Finally, the "overwhelming" steps from the link that you posted. Follow good security posture, and you won't need them. But if you get sloppy, it may become your real work... better than polishing a resume...
I am trying to rotate the user access keys & secret keys for all the users, last time when it was required I did it manually but now I want to do it by a rule or automation
I went through some links and found this link
https://github.com/miztiik/serverless-iam-key-sentry
with this link, I tried to use but I was not able to perform the activity, it was always giving me the error, can anyone please or suggest any better way to do it?
As I am new to aws lamda also I am not sure that how my code can be tested?
There are different ways to implements a solution. One common way you can automate this is through a storing the IAM user access keys in Secret Manager for safely storing the keys. Next, you could configure a monthly or 90 days check to rotate the keys utilizing the AWS CLI and store the new keys within AWS Secrets Manager. You could use an SDK of your choice for this.
I am creating up an AWS Cloud formation template which sets up a set of nodes which must allow keyless ssh login amongst themselves. i.e. One controller must be able to login to all slaves with its private key. The controllers private key is generated dynamically so I do not have access to be able to hard code it into the User-Data of the Template or pass it as a parameter to the template.
Is there a way in Cloud Formation templates to add the controller's public key to slave nodes' authorized keys files?
Is there some other way to use security groups or IAMS to do what is required?
You have to pas the Public key o the master server to the slave nodes in the form of user-data. Cloudformation does support user-data. You may have to figure out the syntax for the same.
In other words, consider it as a simple bash script which will copy the master servers's public key to the slaves. and then you pass this bash script as suer-data so that it gets executed for the 1st time the instance is created.
You will find tons of goggle searches on above information.
I would approach this problem with IAM machine roles. You can grant specific machines certain AWS rights. IAM roles do not apply to ssh access, but to AWS api calls, like s3 bucket access or creating ec2 instances.
Therefore, a solution might look like:
Create a controller machine role which can write to a particular S3 bucket.
Create a slave machine role which can read from that bucket.
Have the controller create an upload a public key into the bucket.
Since you don't know if the controller is created before the slaves, you'll have to have cloud-init set up a cron job every couple minutes that downloads the key from the bucket if it hasn't done so yet.
I lost access via ssh to my amazon ec2 instance and I need to access it NOW due to a problem with my service. I was told that there is a way to access the command-line via web with a java applet but I haven't been able to find it.
Is there a way to access the command-line without the .pem file? terminating/rebooting the instance is not feasible.
AFAIK it is not possible - Amazon does not retain private keys and once your instance has been assigned a keypair, it cannot be reassigned.
You could try to create a new instance with a separate keypair and ssh locally between them, but I don't imagine that that is possible.
If it's an EBS-based instance and you were able to stop it, you could mount the EBS volume to a new instance and copy a new key over; however, based on what you said, I don't believe it's possible. You may need to contact Amazon, but even then, there might not be anything that can be done.
Edit: on the same vein as the 2nd line, if you have other user accounts who have valid login shells, and you have sudo access on one of those accounts, you can do the same as mentioned in the last bit, where you generate a new keypair and upload the private key to ~/.ssh/authorized_keys.
On Amazon EC2 is it possible to reassign a keypair to an already running instance?
I am having problem with a particular keypair and am wondering if there is a way to fix it by reassign it.
Thanks
The best solution we have been able to come up with is to create an AMI from the running instance and launch a new instance from that AMI using the new key pair.
Every instance we launch is based on a custom AMI that we maintain for this and many other reasons.
I'm interested to hear if anyone has a better approach.
Probably ... just guessing based on what I've done in a few instances:
Log into the instance with ssh. If that's the problem, you're pretty much stuck
SFTP the public key from the new pair and put it in place in the .ssh authorized keys
Restart the sshd
Now, try accessing with the private key that matches the public one you put in place.
But I fear the problem you have is getting in when the pair AWS put in place has gone bad. No help there.
If you are using a linux server you can detach the disk and mount them on another instance to work out what the problem is.
First shut down the problem server. Make a note of the device name (probably /dev/sda1) and detach the disk.
Then create a new instance (lets call it the rescue instance) using a new key pair, and attach the disk you detached as additional disk (don't replace the rescue instance's disk).
Then login with ssh to the rescue instance and mount the disk. In the main user account in the newly mounted disks home folder there is a folder named .ssh with a file authorized_keys (/mnt/home/ubuntu/.ssh/authorized_keys for example).
The authorized_keys file can contain multiple public keys each on it's own line. Check the permissions on the .ssh folder and the parent folder, both should only allow write for the owner only. Read permission is required for group and world I think. Any private keys in .ssh should have permission 600 (user read and write only).
This contains the public key from the original key pair. Replace this with your new public key (or add a new line with the new public key) and then shutdown the rescue instance, detach the disk and attach it to the problem instance with the original device name (probably /dev/sda1).
Boot up and you should be able to login using the private key from the new key pair.