SSH brute force entry in aws ec2 instance

Question

I am planning to host a flask application on EC2 instance, which connects to a database. The database credentials are inside a folder on the server.

EC2 login can be done only via ssh private key. The flask API itself is not ssl secured but when it talks to database its over a secure connection.

Is it possible to login into the EC2 via ssh brute force or any other way & acquire database credentials. I have not enabled username & password login to ec2, login is only via private key.

Answer 1

If you disabled password based login via SSH, then it is very hard to brute force an SSH login using a private key (especially if that private key follows current best practice for algorithm selection.

But here's a few extra steps to ensure your EC2 is secured from login:

• Ensure your Security Groups allows only the SSH + Whatever ports flask is exposing for ingress traffic
• Ensure your Security Groups allows only database server security group as egress traffic
• Protect your flask app (this is harder to do) and as the answer above suggest, is the most probable entry point for an attacker.

If we're focusing on SSH access -- then my suggestion is to disable SSH access entirely and instead of AWS System Manager Session Manager. It installs an agent on your EC2, that then allows you to connect to your server via the console. All console based logins are then recorded for audit purpose. Hence in order to access your EC2, attackers would first need to compromise your entire AWS account.

Answer 2

If SSH password authentication is disabled, an attacker should not be able to log in over SSH without possessing the correct private key.

Besides SSH, if there are any vulnerabilities in any other exposed services (e.g. your Flask app), those could potentially be exploited to gain access to your server.