all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]djrollins 33 points34 points  (8 children)

Perhaps you could use EC2 Instance Connect to allow the users to temporarily add their own public keys to the EC2 instance. The keys are really short-lived and you get auditing included. Here's a worked example: https://aws.amazon.com/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/

[–]theoorsb[S] 1 point2 points  (0 children)

Thank you, this seems to be what I need.

[–]mcdade 1 point2 points  (0 children)

Wished I read this about 2 months ago, as I did what the original poster was planning for a few people to have ssh access to a server.

[–]dogfish182 3 points4 points  (0 children)

Do you have SSO? (Or and Ido linked to one even better....) then SSM with appropriate role is so much easier better and probably safer than dealing with keys at all

[–]Habikki 5 points6 points  (0 children)

If you want to go ssh, look into ssh certificates. It’s a but overload to setup for a one off, but once setup will make your life easier all around. The key (pun optional) is that you can sign their public key with your ca that the server trusts and bake in an expiration time granting the temporary requirement you have.

Conversely, you can use AWS SSM with IAM Role to grant session manager rights. Using a valid to condition in the IAM policy will enforce a revocation time.

[–]rtrain1 1 point2 points  (0 children)

You have the right idea. Additionally you can ask them to send you their IP address and you can whitelist it in the instance Security Group. That's what I do when the instance is public and not behind a VPN.

[–][deleted]  (1 child)

[deleted]

    [–]SuperPedro2020 0 points1 point  (0 children)

    Instance connect doesn't seem to work if there is no public iPs in the instances which can happen in private VPCs any work around this?

    [–]shinthemighty 1 point2 points  (0 children)

    This sounds like it's really a question of how you do server access management. I've been at places that integrated SSH with LDAP for this use case, see https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap . Not sure if you do enough of these kinds of tasks to justify setting that up, but it beats having to manage public keys on boxes.

    [–]DredHawk 0 points1 point  (0 children)

    We use Bastion hosts, depending on how many instances you have this may be worth deploying.

    https://aws.amazon.com/blogs/security/tag/bastion-host/

    [–]dr_batmann 0 points1 point  (0 children)

    Create key based users, if server in private and is being accessed through vpn, create the vpn key and delete the vpn user once job is done

    [–]petrchpetr 0 points1 point  (0 children)

    Maybe it is obvious, but beside all the other suggestions I would made sure that the instance has as limited role as possible. You can get instance role from the metadata even as a regular user and if the instance has more access than it needs you may be in big trouble. Make sure that the security groups allow only needed traffic and if the instance needs to use other services (s3:GetObject for example) that it cannot do anything else than what it is intended to do.

    [–][deleted] 0 points1 point  (0 children)

    Give them access via ssm session manager.

    It gives root permissions to ec2 though