By using AWS re:Post, you agree to the Terms of Use

Questions tagged with Security Identity & Compliance

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

End-to-end encryption (to be or not to be)

Hi community, What is your position on end-to-end encryption (regardless of regulations), but from a practical security point of view. Scenario: classic scenario of a web service being front-ended by an application load balancer. No questions ask we do encryption in transit for the front end part. BUT for the communication between the load balancer and the server the security position of AWS seems to be "encrypt everything" but when i read AWS documentation from sysops perspective i get the following "Terminating secure connections at the load balancer and using HTTP on the backend might be sufficient for your application. Network traffic between AWS resources can't be listened to by instances that are not part of the connection" As a security Practioner, i will push for end to end encryption but i willl like to understand this other point of view from AWS that, when reading it might suggest that the encryption between the load balancer and the EC2 is optional. I am in security now but my background is sysadmin and when i talk to operations people i dont like to just "impose" security regulations/standards/policies etc ... I like to explain why its required from a technical security point of view. When it comes to our on-prem applications ... its easy to explain the risks. But in AWS its a little bit confusing for me to justify my point when they show me AWS documentation stating that it might be enough just by encrypting the front end part of the communications.
1
answers
0
votes
47
views
asked 2 months ago

AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys <username> SHA256:<long hex string> failed, status 22

We use Ubuntu 20.04 (`ami-0c8858c090152d291`) as the basis for a production ecommerce stack, and I need to move users around as part of a handover. In order to do this I am trying to ssh in to the instance using the original ami-configured instance user and AWS generated key, so I can move the user I normally log in as. This fails with the subject error in `/var/log/auth.log`. I have reconfirmed keys and user many times obviously. This appears to be related to [AuthorizedKeysCommand fails on Ubuntu 20.04](https://github.com/widdix/aws-ec2-ssh/issues/157), which blames the package `ec2-instance-connect`. We keep instances up to date, so I suspect this package was installed as part of a post-install security update. The above-linked GitHub thread suggests: ``` # rm /usr/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf # systemctl daemon-reload ``` I have tried the above unsuccessfully. Even after removing `ec2-instance-connect.conf` and issuing either `systemctl daemon-reload` or `kill -s HUP <sshd pid>` the sshd process is *still* running using the `ec2-instance-connect.conf` settings: ``` sshd: /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect [listener] 0 of 10-100 startups ``` For obvious reasons I am reluctant to tinker more extensively with the sshd configuration on a production server without hearing from the community. It seems rather questionable (to put it mildly) for a "security update package" to hijack the normal sshd auth process, especially with no well publicized info, only to come to light when I actually have to work on it. The package listing says > Configures ssh daemon to accept EC2 Instance Connect ssh keys -but what it fails to add is "... and may disable other keys". We surely cannot be the first ones to encounter this problem??
0
answers
0
votes
43
views
asked 2 months ago