I am looking at ec2 instance connect and it seems it just allows you to impersonate any user that exists on host by default.
i am testing it with IAM role that has all privileges
mssh my_user@1.2.3.4--region eu-west-2 --profile myprofile -t $INSTANCE_ID
logs me on as myself, fine.
mssh some_other_user@1.2.3.4 --region eu-west-2 --profile myprofile -t $INSTANCE_ID
logs me on as some other user that already exists on this server.
Looks like this behaviour is by design. And anyone with required IAM permissions for ec2-instance-connect
can impersonate any user on the host.
Document below mentions how you can scope user permission so your IAM policy only allow you to 'push public key' as a specific user by leveraging ‘ec2:osuser’ value, although it is not clear whether it means this is how you stop users impersonating someone else
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html
I only need "Allow: ec2-instance-connect:SendSSHPublicKey" IAM permission to allow AWS pricipal to use ec2-instance-connect.
The restriction for IAM that is mentioned in the document refers to 'The ec2:osuser condition. This specifies the name of the OS user that can push the public key to an instance'.
I.e if I don't set this condition, i can just create any ephemeral public key for any user just by merit of having "Allow: ec2-instance-connect:SendSSHPublicKey" IAM permission in my principals policy
So i can imagine this scenario:
1.IAM for a user has a single entry "Allow: ec2-instance-connect:SendSSHPublicKey" added
-
User can impersonate anyone on the server
-
Now, to limit user, you need explicitly to add 'ec2:osuser' condition.
This looks very counterintuitive to me.