By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Add user to instance to connect directly through AWS

0

I can connect to an instance using SSH, but I don't want to have to go through manually adding a user to the wheel etc... Is there anyway to use the IAM users to add them so that they may connect via AWS?

Topics
ComputeSecurity, Identity, & Compliance
Tags
Amazon EC2AWS IAM Identity Center
Language
English
DMaras
asked 8 months ago370 views
2 Answers
2
Accepted Answer

Yes, you can utilize IAM roles and EC2 instance profiles to allow users to SSH into an EC2 instance without manually creating user accounts on the instance. However, this requires some configuration and the use of the "EC2 Instance Connect" feature.

Here's a step-by-step guide:

1. Enable EC2 Instance Connect Amazon EC2 Instance Connect provides a simple and secure way to connect to your instances using Secure Shell (SSH). To use it:

  1. Launch a new EC2 instance or select an existing one. Ensure it's an Amazon Linux 2, Ubuntu, or similar distribution that supports EC2 Instance Connect.
  2. Make sure the instance has an IAM role with permissions for EC2 Instance Connect.

2. Set up IAM Policies for SSH Access Create an IAM policy that allows a user to use EC2 Instance Connect. Here's an example policy:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": "ec2-instance-connect:SendSSHPublicKey",
         "Resource": "arn:aws:ec2:region:account-id:instance/instance-id",
         "Condition": {
            "StringEquals": {
               "ec2:osuser": "ec2-user"
            }
         }
      }
   ]
}

Replace region, account-id, and instance-id with appropriate values. Attach this policy to the IAM users or groups that need SSH access.

3. Connect to the EC2 Instance To connect to the instance using EC2 Instance Connect:

  1. The IAM user generates a temporary SSH key pair on their local machine.
  2. They use the AWS Management Console, AWS CLI, or SDKs to push the public key to the EC2 instance.
  3. Once the public key is pushed, they can SSH into the instance using their private key. The public key only remains valid for a short period (default is 60 seconds).

Using the AWS CLI:

aws ec2-instance-connect send-ssh-public-key \
    --instance-id instance-id \
    --availability-zone us-west-2a \
    --instance-os-user ec2-user \
    --ssh-public-key file://path-to-public-key

After sending the public key: ssh ec2-user@your-instance-public-ip -i path-to-private-key

*4. (Optional) Set up EC2 Instance Connect on Custom AMIs If you're using custom AMIs, you might need to install the EC2 Instance Connect package manually: For CentOS based: sudo yum install -y ec2-instance-connect For Ubuntu: sudo apt-get update && sudo apt-get install ec2-instance-connect

5. Logging All connections made using EC2 Instance Connect are logged in CloudTrail, so you can audit who accessed which instance and when.

Note: It's always a good idea to restrict access by IP using security groups, even when using EC2 Instance Connect, to ensure that only trusted IPs can attempt to connect.

This setup allows you to manage SSH access via IAM, ensuring centralized access management and avoiding the need to manually manage users on each EC2 instance.

profile picture
Ercan -flightlesstux-
answered 8 months ago
profile picture
EXPERT
Narinder Singh Kharbanda
reviewed 8 months ago
profile pictureAWS
EXPERT
Jose Guay
reviewed 8 months ago
0

Hello,

You can use AWS Systems Manager Session Manager.

[+] Connect to your Linux instance with AWS Systems Manager Session Manager - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager-to-linux.html

Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises servers, and virtual machines (VMs). You can use either an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.

[+] ^^^ AWS Systems Manager & Session Manager - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html

[+] Setting up Session Manager - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started.html

profile picture
EXPERT
Narinder Singh Kharbanda
answered 8 months ago
  • Gary Mclean EXPERT
    8 months ago

    If you want all users to share the same underlying SSM-user then this works. However you can’t allocate different access to different users this way. You can’t use groups for different users for permissions

  • Ercan -flightlesstux-
    8 months ago

    Actually, it's not covering the question. SSM is kinda solution. Please check my answer. Best!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content