0

In our organization, we manage a considerable number of EC2 instances. In past we've been distributing SSH keys to users for login access, but this approach poses security risks if the keys are compromised.

I'm exploring alternative solutions to securely manage user access. My initial thought is to leverage IAM to restrict user access on a per-EC2 basis and revoke access by removing roles. However, if IAM isn't suitable for this purpose, I'm also considering utilizing Amazon's managed AWS Directory Service.

Could someone advise on how to implement user access control using IAM or AWS Directory Service? Additionally, I'm open to suggestions for other services that offer granular access control, including the ability to revoke access policies and restrict logins on a per-EC2 level.

Improve this question

1 Answer 1

Reset to default
1

To control access via IAM, use either AWS Systems Manager Session Manager or EC2 Instance Connect. Session Manager does a better job of tracking access. Both allow connectivity to instances in private subnets when configured correctly.

To control access via Active Directory then you can Join an Amazon EC2 instance to your AWS Managed Microsoft AD Active Directory - AWS Directory Service, which involves storing a domain secret in Secrets Manager.

If you choose to keep using SSH keys, then:

  • Each user should generate their own keypair
  • Users should not share keypairs
  • An administrator can add the keypairs of authorised users into desired instances, possibly under their own username (instead of all using ec2-user)
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks John We are now using the session manager to manage the user auth to instances. Benefits:- Session Manager can manage EC2 instances, on-premises servers, and virtual machines (VMs). No need to open inbound ssh ports, maintain jump servers, or manage SSH keys. Can manage private ec2 instances without internet access. A single place to grant and revoke access to managed nodes. Using only IAM policies. Can restrict the commands that a user can run in a session. Can receive notifications when a user starts or ends session activity. Fully auditable logs with node access details.
Another very important benefit of using session manager is that you don't have to keep the RDS bastion host in the public subnet to access the database, as session manager can login into private instances as well.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.