1

I see here and here (under Connecting to Your Linux Instance if You Lose Your Private Key) ways to access EC2 instance without a .pem file that was created when the instance was created.

I would like to secure my EC2 so NO-ONE without the .pem file (that I have locally on my machine) will be able to access it.

BTW, I still have in the ec2 the keypairs of instances (public, fingerprint)

How can I do it?

Community
  • 1
Dejel
  • 195
  • 1
  • 1
  • 7
  • By definition, as long as you have password auth disabled, having access to the private key is a pre-requisite to successful authentication. – EEAA Jun 28 '15 at 17:12
  • Someone that had only the password to login to the console, logged-in into the servers without the pem file. So it could happen. He didn't have username/password – Dejel Jun 28 '15 at 17:26
  • EC2 does not enable true console access. The "console" they give you is merely an SSH client. – EEAA Jun 28 '15 at 17:35
  • so how did he have access to my code on the tomcat server? I didn't have it on the AMI.. – Dejel Jun 28 '15 at 17:47
  • 2
    Made a snapshot of the volume and then mounted it elsewhere, probably. It sounds as if you have an in-trusted person that has access to your key infrastructure. That is a big problem, and you need to revoke that person's access immediately. – EEAA Jun 28 '15 at 17:52

2 Answers2

2

You didn't come out and say this right away, but you have given AWS console access to someone who you don't trust. That is the problem you need to solve. What you've done is equivalent to giving someone physical access to you server. Once you've done that, all bets are off. Game over.

So, the first thing that you need to do is revoke this person's access to your AWS account. After you've done this, all you need to do is protect your private key (which it already sounds like you're doing) and the chances of your servers being compromised via SSH are essentially zero.

EEAA
  • 108,414
  • 18
  • 172
  • 242
1

You have a few options to control access. Take as many of these approaches as you can.

  1. Use instance store backed EC2.
  2. Setup MFA on your AWS console.
  3. Setup Security Groups on your EC2 machine.
  4. Add a passphrase to your SSH private key.
  5. Disable password auth to SSH.
  6. Disable root login to SSH.
  7. Audit all user accounts for SSH public keys.

If you do all of the above steps, you have prevented the workaround described above in your question. The approach laid out in my answer can be considered "defense in depth" meaning making sure to solve the problem in multiple layers. Thus, even if there is a compromise or mistake on one layer, the others will prevent accesss.

Community
  • 1
dmourati
  • 24,720
  • 2
  • 40
  • 69
  • if I am out of time, which step would you recommend to start with as the most secure one to prevent from logging without .pem file? – Dejel Jun 28 '15 at 17:04
  • 2
    With all due respect, your steps do nothing to invalidate the workaround described in the links the OP liked to. – EEAA Jun 28 '15 at 17:11
  • I think if you read OPs question carefully and consider the part about "no-one" besides the owner of the pem file can access his machine you will see I am right. – dmourati Jun 28 '15 at 17:24
  • 1
    No, anyone with access to the AWS console could still access the server. – EEAA Jun 28 '15 at 17:41
  • @EEAA so someone with access to AWS console could or couldn't access the server? (not sure from your comments to my question) – Dejel Jun 28 '15 at 17:56
  • 1
    AWS console access is the same as having physical access. Period. If someone has console access, they can access your data. Don't allow un-trusted people to have console access. – EEAA Jun 28 '15 at 17:57
  • :( I thought that a pem file could solve it.. :( – Dejel Jun 28 '15 at 17:58
  • 1
    You're missing the point. Don't allow un-trusted people to have access to AWS. Period. Don't do it. – EEAA Jun 28 '15 at 18:02