2

I am setting up a new EC2 Amazon Linux 2 AMI and am having a try at setting up EC2 Instance Connect as it's preinstalled on my new instance.

From what I've understood the docs to mean, I should be able to create an IAM user, add a public key to that user and then SSH into the box using the IAM user's (public) key without having to create the .ssh folder on the EC2 instance.

What I've done is:

  1. Create a user on the EC2 instance which my IAM user should map to (let's call him bob)
  2. Uploaded my public OpenSSH key to the IAM user
  3. Created a permission policy which allows the action ec2-instance-connect:SendSSHPublicKey (as per the docs)

Once these are all done, if I try to SSH into the box, it doesn't work and in my /var/log/secure I see a preauth failure.

If I create the .ssh/authorized_keys file and set the permissions correctly, everything works fine.

However, my understanding of the EC2 Instance Connect approach is that it gives me a central way to manage public-key based access to my instances.

Am I correct?

Am I missing something in how I'm setting this up?

I'm finding the documentation a little unclear, so some insight would be helpful.

Thank!

askedApr 16, 2020 at 18:17
Justin Finkelstein's user avatar
1
  • What do you mean by "Uploaded my public OpenSSH key to the IAM user"?CommentedApr 17, 2020 at 0:02

1 Answer1

2

EC2 Instance Connect works as follows:

  • You issue a command thatpushes a temporary public key to the instance, such as:
$ aws ec2-instance-connect send-ssh-public-key --instance-id i-001234a4bf70dec41EXAMPLE --availability-zone us-west-2b --instance-os-user ec2-user --ssh-public-key file://my_rsa_key.pub
  • You thenestablish an SSH connection to the instance using the private half of the keypair
  • Within the instance, the EC2 Instance Connect software interfaces with the ssh process and checks whether the SSH key provided matches the public key that was pushed withsend-ssh-public-key (and it iswithin 60 seconds of receiving that key)
  • If they match, the SSH session is permitted

See:Connect Using EC2 Instance Connect - Amazon Elastic Compute Cloud

EC2 Instance Connect also provides aweb-based interface that can both initiate the above process (using a temporary random keypair) and provide an SSH interface. When doing so, the SSH connection appears to come from within AWS, not your own IP address. This is because the web interface uses HTTPS to AWS, then AWS establishes the SSH connection to the instance. This has an impact on security group configuration.

answeredApr 17, 2020 at 0:02
John Rotenstein's user avatar
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Sign up orlog in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

By clicking “Post Your Answer”, you agree to ourterms of service and acknowledge you have read ourprivacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.