EC2 & SSH - When Your Private Key Isn't So Private
3 min read
Houston, We Have A Problem
AWS makes it super easy to SSH into an instance by giving you the option the create a new SSH Key Pair for you on the fly. In fact the very last step in creating an EC2 instance is assigning a Key Pair. So now with your Key Pair assigned and your instance up and running, you're ready to start handing out your Private Key to all employees who need to login to the instance!
Ummmm.... what?? While AWS makes it easy to SSH into an EC2 instance, the practice of only having one SSH Key per instance is inherently insecure and goes against everything we know about RBAC and IAM. Not only does one private SSH Key for all not allow for any accountability between users, but anyone logging in with the default
ec2-user profile can sudo su to elevate privilege's which is just one more problem with this scenario.
Don't Share 'Private' Keys
In a nutshell the solution is to create a new user(s), import their Public Key, and add the user to the sudoers group if necessary. For extra security after you verify the new users are working you can delete the
ec2-user profile from the machine. The following can be run directly from the "User Data" section as a Bootstrap Script when creating a new instance.
#!/bin/bash # replace <USERNAME> with the name of your user # create the user sudo adduser <USERNAME> # cd to the new users account sudo su - <USERNAME> # Create a .ssh directory to place the authorized_keys mkdir /home/<USERNAME>/.ssh # Change the permissions of the .ssh directory to 700 chmod 700 /home/<USERNAME>/.ssh/ # create a file named authorized_keys in the .ssh directory touch /home/<USERNAME>/.ssh/authorized_keys # add the Public Key to the authorized_keys file echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQB8X9ZxLue5Q4tjV2cjWR7dSSgx4GNdeXhB/ki1K4biD4qYo+BeB4x7Ryoy5Bu6NnJSFqXEDmigJs49p940rHi/crDB5tSTp4c+03kBEl5Rx9UVV8dEq0/c4ChOnk/rT9vz0xTja1HUDMpPx3hol/bOa3crl6Q1m38HHg2rNqb+WAJ/laBxDNpaPHN67S/i3+DREyCwTOFa6nasoFBAcs+3DMSqHo6FoTO/W7Zd6pAtlHrj8Gg9Ofy7m+6+PxKsPBAQtpPDp0Yx4h+2M39gcddVnNbg7Hu72O9VC6D9rWng9AO1h21Ngx4SpSpjtLY1wE14zbDyg5Ahwp6BDoCDl/h7 <USERNAME> > /home/<USERNAME>/.ssh/authorized_keys chmod 600 /home/<USERNAME>/.ssh/authorized_keys chown $USER:$USER ~/.ssh -R sudo su - echo AuthorizedKeysFile %h/.ssh/authorized_keys >> /etc/ssh/sshd_config systemctl restart sshd # The following can be uncommented if you want to add user to sudoers #sudo su #cp /etc/sudoers /etc/sudoers.bak #echo "<USERNAME> ALL=(ALL)NOPASSWD:ALL" >> /etc/sudoers #echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers