Centralizing SSH Key Management with Userify and AWS CloudFormation: A Guide by Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

As organizations increasingly adopt Amazon Web Services (AWS) for their infrastructure, a common challenge emerges: how to effectively manage access control across numerous instances. Relying on a single SSH private key for multiple users not only breaches compliance standards like PCI-DSS and the HIPAA Security Rule, but also becomes chaotic as the team expands. For instance, when a team member departs, an administrator must painstakingly track and revoke access to all instances they were associated with—an inefficient process.

Userify, a recognized Advanced Technology Partner in the AWS Partner Network (APN), streamlines this issue. It provides a fully managed Userify Cloud service or, for those who prefer, a self-hosted option that can operate within a single or multi-Availability Zone (AZ) cluster in your Amazon Virtual Private Cloud (VPC). Userify Cloud requires no installation and can be utilized across various VPCs and AWS accounts seamlessly.

Robust Architecture

Userify is engineered for resilience, ensuring consistent performance even during network disruptions or service outages. Each instance maintains a secure polling connection to the Userify service via HTTPS, routinely updating its local user accounts, public keys, permissions, and sudo roles. These actions are executed automatically, simulating the input of an administrator at the console. For example, the command /usr/sbin/useradd is executed locally to ensure compatibility with custom PAM and directory configurations, without necessitating extensive modifications to the operating system.

Userify employs standard HTTPS connections initiated by the instances back to the Userify service, whether it’s a self-hosted or SaaS model. This outbound “pull” approach offers numerous advantages, such as:

• No need for firewall adjustments on each managed instance.
• Auto Scaling Groups can utilize a single launch configuration without extra set-up as new instances are created.
• There’s no requirement to expose a centralized authentication repository (like Active Directory) to the servers.
• Users are instantly configured and available upon server startup, eliminating delays in accessing the service.
• Low latency; user authentication occurs directly on the instance without third-party intervention.
• High reliability; even if the Userify service is temporarily unreachable, instances continue to authenticate previously valid users autonomously, ensuring seamless operation. The only limitation during downtime is the cessation of updates, which will automatically resume once Userify is restored.
• User accounts are continuously updated, and outdated accounts are swiftly removed. If a user is taken off an instance, any active SSH sessions are terminated, roles are revoked, and their home directories are archived for future reference.

Getting Started with Userify

Testing the Userify integration in your architecture is a straightforward process with the Userify Cloud edition:

1. Register for Userify Cloud and create a company, project, and server group using the green “+” buttons on the dashboard.
2. Import your public key from GitHub or GitLab, or generate an SSH public key (find instructions on your profile page) and paste it into the designated text box.
3. Adjust your permissions by selecting “None” in the server group and switching to “Root.”
4. Lastly, make a note of the server group’s API Id and key (click the server group header to access the menu), which you’ll need for the AWS CloudFormation template.

Deploying Amazon EC2 Instances with CloudFormation and the Userify Shim

The Userify shim is a compact Python script that gets deployed onto your Amazon EC2 instance. It automatically recognizes your Linux distribution as well as whether you’re using Userify’s SaaS (Userify Cloud) or a self-hosted installation in your VPC, such as Userify Enterprise or Userify Express, and manages the connections to that service.

This shim can be effortlessly implemented within an Amazon EC2 instance and configured using CloudFormation. Below is an example of a CloudFormation script:

AWSTemplateFormatVersion: '2010-09-09'
Description: This simple CloudFormation template will deploy a single instance running Amazon
 Linux in US-East-1 with the Userify shim connected to Userify Cloud, and can serve as a
 starting point for additional CloudFormation exploration. You can customize this template to
 load additional instance types and regions (using CloudFormation maps), point it at a local/
 self-hosted Userify instance or cluster, or add additional software to the instances and use
 this as the starting point for an AutoScaling Group Launch Configuration.
Outputs:
 InstanceId:
 Description: InstanceId of the newly created EC2 instance
 Value: {Ref: EC2Instance}
 PublicIP:
 Description: Public IP address
 Value:
 Fn::GetAtt: [EC2Instance, PublicIp]
Parameters:
 UserifyApiId:
 Description: >-
 Userify API ID for this server group. Create an account (remember to paste your
 SSH public key) at the Userify Dashboard (free) https://dashboard.userify.com,
 and paste the API ID for any server group that you have granted yourself
 root access to. Free technical or architectural assistance; email support at userify.
 Type: String
 UserifyApiKey:
 Description: >-
 Userify API Key for this server group. Sign into the Userify Dashboard
 (free), and paste the API KEY for any server group.
 Type: String
Resources:
 EC2Instance:
 Type: AWS::EC2::Instance
 Properties:
 ImageId: ami-0ff8a91507f77f867
 InstanceType: t2.nano
 SecurityGroups:
 - {Ref: EC2InstanceSecurityGroup}
 UserData:
 Fn::Base64:
 !Sub
 |
 #cloud-config
 cloud_final_modules:
 - runcmd
 - scripts-user
 runcmd:
 - curl -1 -sS "https://static.userify.com/installer.sh" |
 static_host="static.userify.com"
shim_host="configure.userify.com"
self_signed=0
api_id="${UserifyApiId}"
api_key="${UserifyApiKey}" sudo -s -E
EC2InstanceSecurityGroup:
 Type: AWS::EC2::SecurityGroup
 Properties:
 GroupDescription: Enable SSH access via port 22
 SecurityGroupIngress:
 - CidrIp: '0.0.0.0/0'
 FromPort: '22'
 IpProtocol: tcp
 ToPort: '22'

You can click here to launch this template—a single Amazon EC2 t2.nano instance in the US East-1 region—in your AWS account. Upon launching, you will be prompted for the Userify API Id and key that you generated above when you created your free account. Paste those two strings, click Next, and then click Next again, and finally Create.

Within moments, you’ll be able to log into a fresh Amazon instance, making this process efficient and straightforward. For those looking to further refine their onboarding processes, check out this interesting blog post on creating a solid business plan. Also, for insights on how current economic factors like gas prices influence inflation, you can refer to this authority on the topic, SHRM. For additional resources, this Reddit thread is an excellent resource on the area manager onboarding process here.