0

On-premise, we do not use public-private key to connect to Linux VM, launched on ESX.

root user create/configure local users(with an expiry) on the VM and provide access to non-root users

Admin user(IAM) on AWS console, creates an EC2 instance, that is supposed to be used by multiple non-admin users(IAM).

Admin user(IAM) can connect to EC2 instance, using command:

ssh -i /local_to_machine/my_private_key.pem user_name@public_dns_name

Admin user does not have root access to EC2 instance, instead the user name is ec2_user(UID=1000), which is a normal user, but has sudo access to almost do everything

$ cat /etc/group | grep ec2-user
adm:x:4:ec2-user
wheel:x:10:ec2-user
systemd-journal:x:190:ec2-user
ec2-user:x:1000:

1) Can IAM admin user have root access(UID=0) to EC2 instance?

2) Being a root user, can multiple non-root users connect to this instance? without a private key...

overexchange
  • 15,768
  • 30
  • 152
  • 347

2 Answers2

-1

I don't know about 1. but here's what I can help you with.

The permission to access a root/ non-root user on an EC2 instance is determined by the keys.

For example, by default the .pem file given by AWS when you launch the instance doesn't have root access, why ? because the public key of this .pem file is not listed under the authorized keys that can access the root user.

what you can do to check is the following 

ssh-keygen -f my_private_key.pem -y > my_public_key.pub (1)
cat my_public_key.pub                                   (2)

Now SSH into your instance by using this command : 

ssh -i /local_to_machine/my_private_key.pem user_name@public_dns_name (3)

cat ~/.ssh/authorized_keys                                            (4)

Here at least 1 entry will be the public part of the pem file you got by 2.

Now suppose you want to give a computer direct root access to the EC2 instance. What you want to do is to add their public key to the authorized_keys file under the root account :

//Ask them to give you the PUBLIC key
ssh -i /local_to_machine/my_private_key.pem user_name@public_dns_name 
sudo su // changes from current user to root user 
echo "<their public key>" >> ~/.ssh/authorized_keys

Now they can directly access the root user by 

  ssh root@public_dns_name

For managing several accounts with root/non-root privileges. My recommendation is to keep the .pem file to your self (keep it for emergencies) and manage the access the appending/removing entries in the ~./ssh/authorized_keys file.

If you don't want to ask for their public keys you can actually create pem files yourself

Wassim Seifeddine
  • 1,002
  • 12
  • 25
-1

1) Can IAM admin user have root access(UID=0) to EC2 instance?

IAM is not in charge of your EC2 instance OS access, it only defines access policy to AWS entities(EC2, S3, SQS etc.). You are connecting to the EC2 instance using preconfigured ssh user and your public key, not by using your IAM user credentials, thus all further ssh acccess configuration relies completely in you responsibility and not related to IAM.

Aleksandr Neshcheret
  • 11
  • 1