2

Is it possible to set up a bastion host in AWS that would be checking IAM to check if given user can connect to specific EC2 instance?

It might be a bit blurry but the idea is following.

Let's assume that a company has 2 customers and each of them operates on a single EC2 instance. So we have MachineA and MachineB for customers A and B. Then, we also have 3 employees:

  • John - a sysadmin that needs to be able to connect everywhere
  • Steve - developer working on a product for customer A. Clearly he should be able to connect to MachineA only
  • Mary - developer working on a product for customer B. Clearly she should be able to connect to MachineB only

Both machines run in private subnet and connection to them would be possible through a bastion host in public subnet only. Now, would it be possible to configure this bastion so that it would verify user's group in IAM to make sure that this user can connect to a given machine?

So, when Mary connects through SSH to bastion she uses her own identity. There she tries to jump to MachineB so Bastion checks user's credential, verifies that she is in group devsB and allows her to connect but it would refuse to connect if she tried to connect to MachineA for any reason...

Tomasz Kapłoński
  • 153
  • 4

3 Answers3

1

You can utilize AWS System Manager to manage access control to your ec2 instance with IAM.

Henrik Pingel
  • 8,676
  • 2
  • 24
  • 38
  • I thought of SSM and it seems quite promising. However though, how can I attach keys to machines? I mean, I know that there's cli access from AWS Console in SSM but browser based cli is not exactly nice - devs tend to have their own habits (including me) that I don't want to alter and maybe some of them would like to use ssh tunnels for some gui apps... – Tomasz Kapłoński Jun 08 '19 at 05:16
0

You can use aws-gate, which combines SSH key upload functionality from EC2 Instance Connect, SSH over SSM tunneling, access is fully managed via IAM policies and uses AWS CloudTrail for auditing.

xenol
  • 1
0

I wouldn’t rely on IAM Group membership as it may be a little challenging to test in the SSH context.

Instead I would give all users SSH access to the bastion host under individual user accounts and only the appropriate users access to each of the customers’ instances.

The simplest way is to add Steve’s public SSH key to MachineA:/home/ec2-user/.ssh/authorized_keys. Similarly Mary’s public key to MachineB.

Then you can use SSH ProxyJump along with SSH Agent to facilitate the access.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • Basically I want to do the jumping but I'd like to have a clear management who can get where and IAM looks like a nice candidate for a control plane for that. Access to bastion using individual ssh is fine but distributing those in a bigger organisation might quickly become _unstable_ :P – Tomasz Kapłoński Jun 07 '19 at 12:47