0

I am trying to create a ec2 instance for someone on his own aws account. That person should only interact with the machine via a web service. I can't afford having anyone ssh into the machine and having their hands on the code IP.

How can i forbid the owner of the account from creating a new key pair and replacing the ones that i set for the machine ?

thanks

askedMay 7, 2020 at 22:33
Cobry's user avatar
2
  • What do you mean on his own aws account? Is he a root user? If so, he will probably have access to everything.CommentedMay 7, 2020 at 23:07
  • this user has a prepaid account by his university and he needs to use the funds. so yes that person is root on the accountCommentedMay 7, 2020 at 23:30

1 Answer1

1

Ideally, you should be having an instance on your own account, where you are in control and create an instance and install your Web Services and host it via a web server and expose web ports(let's say port 80) to the world.

Then you edit the Security Group to make sure the web ports are open to the world/to the user's IP (in case you're using static IP Range) and the SSH Port 22 should only be open to your IP (if you're using static IP Range).

If you're using a dynamic IP, my strategy would be to use a step server, that is to create another server(with an elastic IP), who's keys are known and managed only by you and allow that server's IP address to have SSH Permission to your web server by modifying your web server's security group. That way only your account has access to the step server, and ONLY you can log in to the Web server from the Step server and no one else.

answeredMay 7, 2020 at 23:20
EngineJanwaar's user avatar
Sign up to request clarification or add additional context in comments.

4 Comments

thanks for your response Rakesh. the only reason why i will be using his account is because he already has a payed subscription and some $ that he needs to spend ... otherwise what you said makes total sense.
I am afraid you cannot restrict activities in the root account. So your situation is you need to host the code on the user's machine where he's the superuser without letting him see the code, that seems impossible. Only thing I can think of is dockerizing your application, and running a docker container on the user's system that way, user can't directly reach the code but still is able to look inside containers but it can have different permission. I do have to check this out though. This is just off the top off my head.
he's not the superuser on the machine. He owns the aws account. he will give me his credentials to login and I will be creating a new key pair and assigning to the machine and he won't have that key pair. Technically he can't ssh to the machine at all. But in aws you can recover key pairs and access the machine ... i am trying to find out whether there is a way to forbid changing a machine key pair. that's all
If this account is part of an organisation you can use SCP to limit root user's permission, otherwise root user has all permissions, including recovering keys and once recovered logging in as Superuser, either delete his root keys and force him to log in as IAM user with a few admin privileges or use SCP, or simply you can't: Basically any settings you make in his account can be later altered by him as root.

Your Answer

Sign up orlog in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

By clicking “Post Your Answer”, you agree to ourterms of service and acknowledge you have read ourprivacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.