- Más nuevo
- Más votos
- Más comentarios
Yes, you can utilize IAM roles and EC2 instance profiles to allow users to SSH into an EC2 instance without manually creating user accounts on the instance. However, this requires some configuration and the use of the "EC2 Instance Connect" feature.
Here's a step-by-step guide:
1. Enable EC2 Instance Connect Amazon EC2 Instance Connect provides a simple and secure way to connect to your instances using Secure Shell (SSH). To use it:
- Launch a new EC2 instance or select an existing one. Ensure it's an Amazon Linux 2, Ubuntu, or similar distribution that supports EC2 Instance Connect.
- Make sure the instance has an IAM role with permissions for EC2 Instance Connect.
2. Set up IAM Policies for SSH Access Create an IAM policy that allows a user to use EC2 Instance Connect. Here's an example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": "arn:aws:ec2:region:account-id:instance/instance-id",
"Condition": {
"StringEquals": {
"ec2:osuser": "ec2-user"
}
}
}
]
}
Replace region, account-id, and instance-id with appropriate values. Attach this policy to the IAM users or groups that need SSH access.
3. Connect to the EC2 Instance To connect to the instance using EC2 Instance Connect:
- The IAM user generates a temporary SSH key pair on their local machine.
- They use the AWS Management Console, AWS CLI, or SDKs to push the public key to the EC2 instance.
- Once the public key is pushed, they can SSH into the instance using their private key. The public key only remains valid for a short period (default is 60 seconds).
Using the AWS CLI:
aws ec2-instance-connect send-ssh-public-key \
--instance-id instance-id \
--availability-zone us-west-2a \
--instance-os-user ec2-user \
--ssh-public-key file://path-to-public-key
After sending the public key:
ssh ec2-user@your-instance-public-ip -i path-to-private-key
*4. (Optional) Set up EC2 Instance Connect on Custom AMIs
If you're using custom AMIs, you might need to install the EC2 Instance Connect package manually:
For CentOS based: sudo yum install -y ec2-instance-connect
For Ubuntu: sudo apt-get update && sudo apt-get install ec2-instance-connect
5. Logging All connections made using EC2 Instance Connect are logged in CloudTrail, so you can audit who accessed which instance and when.
Note: It's always a good idea to restrict access by IP using security groups, even when using EC2 Instance Connect, to ensure that only trusted IPs can attempt to connect.
This setup allows you to manage SSH access via IAM, ensuring centralized access management and avoiding the need to manually manage users on each EC2 instance.
Hello,
You can use AWS Systems Manager Session Manager.
[+] Connect to your Linux instance with AWS Systems Manager Session Manager - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager-to-linux.html
Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises servers, and virtual machines (VMs). You can use either an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
[+] ^^^ AWS Systems Manager & Session Manager - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
[+] Setting up Session Manager - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started.html
Contenido relevante
OFICIAL DE AWSActualizada hace un año- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
If you want all users to share the same underlying SSM-user then this works. However you can’t allocate different access to different users this way. You can’t use groups for different users for permissions
Actually, it's not covering the question. SSM is kinda solution. Please check my answer. Best!