0

I created an AWS EC2 instance and shared the .pem (common .pem file for every user) file with multiple employees in the company. Some of them are resigned now. I am afraid that they will access the instance again since they have the .pem file. How can I restrict this? Are there any methods to avoid these sort of problems from future? I found two solutions over the internet.

One is this. But for this solution, there are two problems. One, I don't have a static IP. Secondly, if someone wants to access it from some other network, it will not be possible.

The second solution is this. This looks ok. But I don't know is this the best solution.

Any ideas on how can I tighten the security? When I explored a bit I had seen some terms like VPN, and create RSA keys from the user laptop itself. So the user can access to the instance only from this laptop (I don't any clear idea about these).

Thanks.

AKA
  • 115
  • 1
  • 6
  • 1
    I'd suggest you investigate SSH and SSH keys - they aren't specific to Amazon EC2 I don't think (correct me if I'm wrong here). – starbeamrainbowlabs Aug 03 '17 at 10:13
  • I thought of changing the existing .pem files. But that is a difficult task. Can keep it as a regular task. – AKA Aug 03 '17 at 10:20

2 Answers2

3

Always create specific user when you manage servers in team. Never share a single key or password. That said, go for your second solution: create specific users with specific password, and revoke the actual pem password (it's the ssh password for the default ec2-user)

Federico Galli
  • 918
  • 6
  • 16
1

Your best option is likely to revoke access to that certificate and set up individual server users. You can also use a firewall to limit access from specific IPs.

I have a small tutorial on SSH/SFTP setup for Amazon Linux on my website you may find useful. They key parts are.

Firewall / Security Groups

On AWS you can use Security Groups or Network Access Control Lists to specify what IPs can connect on what protocols. You can set this up so only your corporate IP can connect on SSH. This is very quick and easy to do. See instructions here.

I suggest using security groups rather than NACLs, just because I find it easier. You could use either or both.

Revoke Existing Key Pair

To revoke the key pair (documentation, under "Adding or Replacing a Key Pair for Your Instance")

  1. Retrieve the public key from your new key pair. For more information, see Retrieving the Public Key for Your Key Pair on Linux or Retrieving the Public Key for Your Key Pair on Windows.

  2. Connect to your instance using your existing private key file.

  3. Using a text editor of your choice, open the .ssh/authorized_keys file on the instance. Paste the public key information from your new key pair underneath the existing public key information. Save the file.

  4. Disconnect from your instance, and test that you can connect to your instance using the new private key file.

  5. (Optional) If you're replacing an existing key pair, connect to your instance and delete the public key information for the original key pair from the .ssh/authorized_keys file.

Create the new users

sudo su
sudo useradd fred
passwd fred

Create the keys

su fred
ssh-keygen -f rsa

mkdir .ssh

touch .ssh/authorized_keys
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

cat fred.pub >> /home/fred/.ssh/authorized_keys

Allow user login

vi /etc/ssh/sshd_config
PasswordAuthentication no
AllowUsers ec2-user fred
Tim
  • 31,888
  • 7
  • 52
  • 78