EC2 Key Sharing- Issues and Remedies
This Blog has moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.
House owner went on a vacation handing over the key bunch to the neighbor by trusting him. Neighbour, in turn, handed it over to the maid. The house owner comes back after vacation. Now he is confused who opened the door. This is analogous to the AWS EC2 .pem key generated during the launch of an instance. Let us analyze whether this key is secured. Definitely it is not secured, unless you are the only person to use it. Moreover, the key doesn't have any password associated with it.
Some times it becomes a necessity that the key is shared with third-party application developers, or someone else. Accountability becomes a real issue then, as a single password-less key is shared among multiple users. Let us see some of the factors you may be considering in this regard. Please note that this document is meant for helping the security design and for navigational purpose, thus does not contain step by step configurations.
- Unique key for each user
- Centralised storage of Keys((Optional))
- Disable default .pem key.
- Log user activities
- Regulate SSH ports
- Use AWS SSM if possible
Unique key for each user
It is a good idea to have a unique key for each user who logs into your
instances. The users could be individual within the company, or it could be
a third party application developer. Setting up the password for each
key can make sure another level of security. Even when some one else has the access to the key cannot login to the instance since he doesn't know the password.
1) Create accounts for each user.
2) Use tools like ssh-keygen to create .pem key pair with a passphrase.
3) Install the key with appropriate permission to the home directory of the user.
4) Add the new users to the /etc/sudoers file.
Centralised storage of Keys (Optional)
If the company has hundreds of servers and hundreds of employees, then the key management becomes too difficult. You may need to disable the user’s
key from many systems when he leaves the company. You can think of
storing the .pem key in centralised ADS or IPA server where all the
instances are configured as clients of ADS or IPA server. When he leaves the
company you may have to do a single click to disable the user in IPA/ADS server.
Disable default EC2 .pem key
Since each user has exclusive EC2 .pem key, the default key can be disabled.
Else it can be security loop hole, any one who has key under his custody can gain the access of the operating system. You really want to retain default key setup the password with ssh-keygen -p -f .
Log user activities
Accounting is important when multiple users operate on single server. As an administrator you should know who executed which command on the system. You can make use of AWS Cloud Watch service.
- Edit the file /etc/bashrc and add the following line so that each
users activity is logged even when he does an “su -”
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/[ ][0–9]+[ ]//" ) [$RETRN_VAL]"'2) Install and enable cloud watch agents in your instance.
3) Create appropriate IAM role and attach to the instance so that it can
push the log to the Cloud Watch.
4) Additionally, you can enable the logs for /var/log/secure file so
that client IP address will be logged for any SSH access.
Regulate SSH port
Give the SSH access only when the user requires. It may be a difficult task to login to AWS console and open/close ports every time the user requests. You can consider automation tools like Ansible so that open/close port can be done without login to AWS web console, just execute a simple script.
Use AWS SSM if possible
AWS SSM (System Manager) has the capability of running the operating system commands or scripts avoiding a SSH login to the instance. You can do it from AWS web console itself including a task scheduling.
Conclusion
We have seen the importance of using unique EC2 .pem key for each user. This bring about higher degree of security and accounting. The use of passphrase with key makes it harder for an intruder to break the security. Also, we have discussed about SSM which can replace SSH login to a considerable extent.
Read the following blogs for related information,
