Learn About Amazon VGT2 Learning Manager Chanci Turner
In this article, we will explore how to leverage Amazon EC2 Instance Connect to enable secure SSH access to EC2 instances operating on private IP addresses located within an Amazon Virtual Private Cloud (VPC). EC2 Instance Connect offers a streamlined and secure approach for connecting to your EC2 instances through one-time SSH keys, thereby eliminating the need for long-term SSH key management. This architecture is especially beneficial for organizations that:
- Require SSH access to EC2 instances situated in a private subnet.
- Aim to discontinue the use of long-term SSH keys.
- Seek to restrict the source networks from which SSH sessions can be initiated.
While EC2 Instance Connect necessitates access to the service’s public endpoint to execute control plane functions, as we will demonstrate, the SSH traffic from your client to the EC2 instance can remain within your private network. Additionally, EC2 Instance Connect provides comprehensive and detailed access control features to uphold the principle of least privilege. It effectively addresses the complex issue of managing public and private key pairs securely.
How EC2 Instance Connect Functions
EC2 Instance Connect eliminates the need for maintaining long-term SSH keys. Instead, it utilizes AWS Identity and Access Management (IAM) along with one-time SSH keys for controlling SSH access to EC2 instances. An IAM policy linked to an IAM principal governs whether that principal can utilize EC2 Instance Connect. When an authorized IAM principal initiates a connection using EC2 Instance Connect, they send a one-time SSH public key to the EC2 Instance Connect API. The service then transmits this public key to the instance metadata service (IMDS), where it remains available for 60 seconds. The SSH client must establish a connection using the corresponding private key within this timeframe. Standard SSH installations utilize a public key stored on disk, but with EC2 Instance Connect, the SSH daemon is configured to retrieve the public SSH key from the EC2 instance metadata service. Authentication succeeds if the keys match. If no public key is available in the instance metadata service, the SSH daemon will also check for authorized keys configured on disk. It is advisable to remove locally stored authorized keys once EC2 Instance Connect has been set up on the EC2 instance.
EC2 Instance Connect allows connections to EC2 instances via three different methods:
- A browser-based client accessible through the AWS Management Console.
- Your own SSH client and key.
- The EC2 Instance Connect command line interface (CLI).
The browser-based client facilitates access to EC2 instances with public IPv4 addresses assigned. Access to instances with public IPs can be restricted not only through IAM policies and source IP conditions but also through Security Groups that define the IP ranges utilized by the EC2 Instance Connect service in a specific region, which can be found in the ip-ranges.json file. Conversely, EC2 instances without public IP addresses can still be accessed through their private IPv4 addresses using either your SSH client or the EC2 Instance Connect CLI, which is the focus of this discussion.
For comprehensive installation instructions for EC2 Instance Connect, please refer to the EC2 Instance Connect launch blog post, which is an excellent resource.
Example Corp. Network Topology and IAM Policy
Consider a scenario where your cloud infrastructure acts as an extension of your on-premises data center. You need to facilitate authorized user access to EC2 instances at scale without managing SSH keys.
Imagine you’ve devised a standard network topology for utilizing EC2 Instance Connect, as illustrated in the accompanying diagram. Your on-premises corporate data center connects to the AWS Cloud via Direct Connect, establishing a dedicated network connection between your on-premises network and an AWS Direct Connect partner.
To effectively manage users across multiple AWS accounts within your organization, it’s essential that all users authenticate to AWS using AWS Single Sign-On (SSO).
A private virtual interface (private VIF) connects Direct Connect to an Amazon VPC housing two EC2 instances. This Amazon VPC is devoid of an internet gateway and any route to the internet, categorizing it as a private Amazon VPC. The private VPC is connected to your on-premises network via Direct Connect. Each EC2 instance is assigned a private IP address and is safeguarded by a security group allowing SSH traffic from the on-premises network range over port 22 (the default SSH port).
To access public AWS services over Direct Connect, a public VIF is established. All traffic originating from your corporate network to AWS public endpoints is routed through this public VIF. The source IP address of traffic traveling from the corporate data center to AWS is translated using NAT (network address translation) to the public IP address of 198.51.100.4, an example public IP. NAT is performed by your router stationed at the Direct Connect location.
Martha Rivera, a system administrator, has been granted access to the EC2 instance with instance ID i-00123EXAMPLE using the default Amazon Linux 2 user ec2-user. However, Martha is restricted from accessing any other EC2 instance.
Before utilizing EC2 Instance Connect, an IAM role must be created for Martha to assume post-login via AWS SSO. This IAM role permits access to the EC2 instance with instance ID i-00123EXAMPLE, enforced by specifying the ARN of the instance in the IAM policy resource section.
The security policy also dictates that the role is restricted to sending the public SSH key to EC2 Instance Connect only from within your corporate network via Direct Connect. An IAM policy is attached to the IAM role that Martha can assume, employing the condition key aws:SourceIp.
The IAM policy applied to the role that Martha can assume restricts access to instance ID i-00123EXAMPLE, as illustrated below. The control plane call to API SendSSHPublicKey must be transmitted over Direct Connect, where the source IP is translated to 198.51.100.4, and the OS username must align with ec2-user. This restrictive IAM policy exemplifies the level of access granularity achievable with EC2 Instance Connect. For further insights on inclusive hiring practices, you can check out this article by SHRM, an authority on this topic.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2-instance-connect:SendSSHPublicKey"
],
"Resource": [
"arn:aws:ec2:$REGION:$ACCOUNTID:instance/i-00123EXAMPLE"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"198.51.100.0/24"
]
}
}
}
]
}
For more on how to navigate emotions at work, this blog post on languishing can be insightful. As you continue to develop your cloud infrastructure, resources like this one from Amazon provide valuable training insights for new hires.
Leave a Reply