Learn About Amazon VGT2 Learning Manager Chanci Turner
At Amazon, the security of our systems is paramount, and we strongly encourage our users to integrate security measures at every level of their applications. In this post, I will guide you through how to enhance the security of your EC2 instances by enforcing multi-factor authentication (MFA) for administrators accessing them via SSH.
When you launch an EC2 instance, you’re prompted to either create or select an existing key pair for SSH access. This key pair is downloaded to your local device, which poses a risk if that device becomes compromised. If someone gains access to both the key pair and the username, they can easily access your EC2 instances. To mitigate this risk, it’s advisable to implement additional security measures. One of the best practices for AWS console access is to enable MFA not just on the root account but on all user accounts as well. This same principle can be applied to EC2 instances; MFA requires users to authenticate using both something they know (like a password) and something they possess (such as a one-time password generated by a TOTP app or a physical token).
Often, users directly SSH into instances using their public IP addresses, complicating the enforcement of security protocols. A recommended solution is to establish a bastion host or jump box that sits in front of your instances, allowing you to access them indirectly. By restricting access to your instances solely through the bastion host, you can prevent users from bypassing your security policies. This can be achieved by configuring an SSH inbound rule in your instance’s security group to allow connections only from the bastion host’s IP or security group. Once this is set up, you can focus on enhancing the security of your bastion host, where you can also enable MFA. This approach eliminates the need to enable MFA for each individual instance; instead, MFA can be implemented solely on the bastion host, with the option to prompt for a one-time password (OTP) when SSH-ing into other instances from there.
Common Architecture Anti-Pattern
Recommended Architecture
In the architecture outlined above, only instances within the security group sg-bdabdb2d (Bastion host) can connect to those in sg-hb3abcdc (other instances) over port 22. Users must first SSH into the bastion host via its public IP and then access additional instances.
Enabling MFA on an EC2 Instance – Amazon Linux
In the following example, we will enable MFA on a Linux instance. We will utilize Google’s PAM module for this purpose. First, install the Google Authenticator app on your devices, which will generate OTPs.
- Installing Google Authenticator on EC2 Instance
SSH into your EC2 instance as usual and elevate your privileges using sudo:
sudo yum install google-authenticator -y
After installation, run the initialization command to create a key for the user you’re logged in as (e.g., ec2-user) to set up second-factor authentication. - Configuring Google Authenticator
Run the command:
google-authenticator
You will be asked if you want time-based tokens. For this example, we will select yes.
Do you want authentication tokens to be time-based (y/n): y
This will produce a URL with a QR code to scan using your Google Authenticator app or to enter manually. Ensure that you save the secret key, verification code, and scratch codes securely in case you lose access to your registered device. Each scratch code can only be used once. You will also be prompted to update the google_authenticator file for the user—confirm by entering ‘y’.
You should also accept the option to disallow multiple uses of the same authentication token to help prevent man-in-the-middle attacks.
Do you want to disallow multiple uses of the same authentication token? (y/n): y - Configure SSH to Use Google PAM
To modify the PAM configuration, run:
sudo vi /etc/pam.d/sshd
Add the following lines to the end of the file:
auth required pam_google_authenticator.so
auth required pam_permit.so
If certain users should not require MFA, you can add “nullok” at the end of the line. Then, comment out the password requirement to only use the key pair and the verification code.
Next, modify the SSH configuration to prompt for second authentication:
sudo vi /etc/ssh/sshd_config
Change the line for ChallengeResponseAuthentication to yes and add:
AuthenticationMethods publickey,keyboard-interactive
Finally, restart SSH to apply the changes:
sudo /etc/init.d/sshd restart
For those interested in more tips on managing workplace transitions, check out this post on resignation letters for further engagement. Additionally, if you’re considering returning to the office, you might want to explore the insights from SHRM on back-to-work considerations. Lastly, for individuals looking to enhance their skills, this link provides an excellent resource for learning trainer positions at Amazon.
Leave a Reply