EC2 Key Pairs
- EC2 uses public-key cryptography to encrypt & decrypt login information
- Public-key cryptography uses a public key to encrypt a piece of data, such as a password, then the recipient uses the private key to decrypt the data.
- Public and private keys are known as a key pair.
- To log in to an EC2 instance, a key pair needs to be created and specified when the instance is launched, and the private key can be used to connect to the instance.
- Linux instances have no password, and the key pair is used for ssh log in
- For Windows instances, the key pair can be used to obtain the administrator password and then log in using RDP
- EC2 stores the public key only, and the private key resides with the user. EC2 doesn’t keep a copy of your private key
- Public key content (on Linux instances) is placed in an entry within ~/.ssh/authorized_keys at boot time and enables the user to securely access the instance without passwords
- Public key specified for an instance when launched is also available through its instance metadata http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
- EC2 Security Best Practice: Store the private keys in a secure place as anyone who possesses the private key can decrypt the login information
- Also, if the private key is lost, there is no way to recover the same.
- For instance store, you cannot access the instance
- For EBS-backed Linux instances, access can be regained.
- EBS-backed instance can be stopped, its root volume detached and attached to another instance as a data volume
- Modify the authorized_keys file, move the volume back to the original instance, and restart the instance
- Key pair associated with the instances can either be
- Generated by Amazon EC2
- Keys that Amazon EC2 uses are 2048-bit SSH-2 RSA keys.
- Created separately (using third-party tools) and Imported into EC2
- EC2 only accepts RSA keys and does not accept DSA keys
- Supported lengths: 1024, 2048, and 4096
- Generated by Amazon EC2
- You can have up to five thousand key pairs per region
- Deleting a key pair only deletes the public key and does not impact the servers already launched with the key
EC2 Security Groups
- An EC2 instance, when launched, can be associated with one or more security groups with the instance, which acts as a virtual firewall that controls the traffic to that instance
- Security groups helps specify rules that control the inbound traffic that’s allowed to reach the instances and the outbound traffic that’s allowed to leave the instance
- Security groups are associated with network interfaces . Changing an instance’s security groups changes the security groups associated with the primary network interface (eth0)
- An Network interface can be associated with 5 security groups and with 50 rules per security gorup
- Rules for a security group can be modified at any time; the new rules are automatically applied to all instances associated with the security group.
- All the rules from all associated security groups are evaluated to decide where to allow traffic to an instance
- Security Group features
- For the VPC default security group, it allows all inbound traffic from other instances associated with the default security group
- By default, VPC default security groups or newly created security groups allow all outbound traffic
- Security group rules are always permissive; deny rules can’t be created
- Rules can be added and removed any time.
- Any modification to the rules are automatically applied to the instances associated with the security group after a short period, depending on the connection tracking for the traffic
- Security groups are stateful— if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules
- If multiple rules for the same protocol and port the Most permissive rule is applied for e.g. for multiple rules for tcp and port 22 for specific IP and Everyone, everyone is granted access being the most permissive rule
Connection Tracking
- Security groups are Stateful and they use Connection tracking to track information about traffic to and from the instance.
- This allows responses to inbound traffic to flow out of the instance regardless of outbound security group rules, and vice versa.
- Connection Tracking is maintained only if there is no explicit Outbound rule for an Inbound request (and vice versa)
- However, if there is an explicit Outbound rule for an Inbound request, the response traffic is allowed on the basis of the Outbound rule and not on the Tracking information
- Any existing flow of traffic, that is tracked, is not interrupted even if the rules for the security groups are changed. To ensure traffic is immediately interrupted, use NACL as they are stateless and therefore do not allow automatic response traffic.
- Also, If your instance (host A) initiates traffic to host B and uses a protocol other than TCP, UDP, or ICMP, your instance’s firewall only tracks the IP address and protocol number for the purpose of allowing response traffic from host B. If host B initiates traffic to your instance in a separate request within 600 seconds of the original request or response, your instance accepts it regardless of inbound security group rules, because it’s regarded as response traffic.
- You can control this by modifying your security group’s outbound rules to permit only certain types of outbound traffic or using NACL
IAM with EC2
- IAM policy can be defined to allow or deny a user access to the EC2 resources and actions
- EC2 partially supports resource-level permissions. For some EC2 API actions, you cannot specify which resource a user is allowed to work with for that action; instead, you have to allow users to work with all resources for that action
- IAM allows to control only what actions a user can perform on the EC2 resources but cannot be used to grant access for users to be able to access or login to the instances
EC2 with IAM Role
- EC2 instances can be launched with IAM roles so that the applications can securely make API requests from your instances,
IAM roles prevents the need to share as well as manage, rotate the security credentials that the applications use
As per the latest enhancement from AWS, IAM role can be added to an existing running EC2 instance.
- EC2 uses an instance profile as a container for an IAM role.
- Creation of an IAM role using the console, creates an instance profile automatically and gives it the same name as the role it corresponds to.
- When using the AWS CLI, API, or an AWS SDK to create a role, the role and instance profile needs to be created as separate actions, and they can be given different names.
- To launch an instance with an IAM role, the name of its instance profile needs to be specified.
- An application on the instance can retrieve the security credentials provided by the role from the instance metadata item http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
- Security credentials are temporary and are rotated automatically and new credentials are made available at least five minutes prior to the expiration of the old credentials.
- Best Practice: Always launch EC2 instance with IAM role instead of hardcoded credentials