By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AMI scan for Marketplace

0

I am scanning an AMI for AWS Marketplace and need to follow these guidelines:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html. I am supposed to remove all keys (/.ssh/authorized_keys) for security reasons and use cloud-init to inject public keys but during scanning I get the error that AWS cannot ssh into the AMI because there is no key. so the dilemma is if (/.ssh/authorized_keys) are removed scanning cannot happen because AWS cannot ssh into the server, but if (~/.ssh/authorized_keys) is present then its a security issue and throws an error. I need solutions please!

Topics
ComputeSecurity, Identity, & Compliance
Tags
Linux ProvisioningSecurity, Identity, & ComplianceAmazon EC2
Language
English
rePost-User-4807537
asked 2 years ago353 views
3 Answers
0

Hi, the scanner doesn't need any ~/.ssh/authorized_keys to be present. In fact, the scanner will call out this as an issue if that file contains any keys.

Just before you create your image (AMI) for AWS Marketplace from your running or stopped EC2 instance, you remove those authorized keys so that the image (AMI) is clean.

profile pictureAWS
Joseph Shih
answered 2 years ago
  • rePost-User-4807537
    a year ago

    I have been to solve it by using the OS name that is associated with the AMI originally for the value BEFORE scanning, for example my AMI's OS name is ubuntu, but I was using ec2-user as OS user before scanning and was presented with that error. Thanks Joseph you are right.

  • Joseph Shih
    a year ago

    Thanks for the update! Glad it helped.

0

Thanks Joseph, But It still needs the ssh key pair that was provided on login to be able to scan the AMI or else it returns an error. so another way of phrasing the question is where do you locate the ssh key pair for scanning purposes which it clearly needs without placing it in the ~/.ssh/authorized_keys file?

rePost-User-4807537
answered a year ago
  • Joseph Shih
    a year ago

    Hi, the way the scanner works to use keypair is the same way you would introduce your keypair in any generic AMI. When you try to launch a new EC2 instance from a public AMI of Amazon Linux 2 or Ubuntu, those AMIs have no keys in it. It is during the initial launch where you specify a keypair. Then EC2 will take care of adding the public key on-the-fly into the new EC2 instance. The scanner (and ultimately your customers) do the same thing. The expectation is that your AWS Marketplace customers are not using your keypair when they launch your AMI, they specify their own. Thus the AMI doesn't need your keypair when you publish it.

0

verbatim of the error I am getting: Issue found: Unable to connect using SSH on port 22 with the username [ec2-user] and the keypair provided at launch. Recommendation: Provide the correct username for the AMI. AMIs must support login with the keypair associated with the instance at launch.

Meanwhile the username was provided for the AMI (ec2-user)

rePost-User-4807537
answered a year ago
  • Joseph Shih
    a year ago

    Have you confirmed that the SSH port is on the default port 22 and that the OS user is ec2-user? Is this how you log into the instance? If not, those two values can be changed in the scanner.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content