EC2 & SSH - When Your Private Key Isn't So Private

EC2 & SSH - When Your Private Key Isn't So Private

Houston, We Have A Problem

AWS makes it super easy to SSH into an instance by giving you the option the create a new SSH Key Pair for you on the fly. In fact the very last step in creating an EC2 instance is assigning a Key Pair. So now with your Key Pair assigned and your instance up and running, you're ready to start handing out your Private Key to all employees who need to login to the instance!

Ummmm.... what?? While AWS makes it easy to SSH into an EC2 instance, the practice of only having one SSH Key per instance is inherently insecure and goes against everything we know about RBAC and IAM. Not only does one private SSH Key for all not allow for any accountability between users, but anyone logging in with the default ec2-user profile can sudo su to elevate privilege's which is just one more problem with this scenario.

Don't Share 'Private' Keys

In a nutshell the solution is to create a new user(s), import their Public Key, and add the user to the sudoers group if necessary. For extra security after you verify the new users are working you can delete the ec2-user profile from the machine. The following can be run directly from the "User Data" section as a Bootstrap Script when creating a new instance.

# replace <USERNAME> with the name of your user
# create the user
sudo adduser <USERNAME>

# cd to the new users account
sudo su - <USERNAME>

# Create a .ssh directory to place the authorized_keys
mkdir /home/<USERNAME>/.ssh

# Change the permissions of the .ssh directory to 700
chmod 700 /home/<USERNAME>/.ssh/

# create a file named authorized_keys in the .ssh directory
touch /home/<USERNAME>/.ssh/authorized_keys

# add the Public Key to the authorized_keys file
echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQB8X9ZxLue5Q4tjV2cjWR7dSSgx4GNdeXhB/ki1K4biD4qYo+BeB4x7Ryoy5Bu6NnJSFqXEDmigJs49p940rHi/crDB5tSTp4c+03kBEl5Rx9UVV8dEq0/c4ChOnk/rT9vz0xTja1HUDMpPx3hol/bOa3crl6Q1m38HHg2rNqb+WAJ/laBxDNpaPHN67S/i3+DREyCwTOFa6nasoFBAcs+3DMSqHo6FoTO/W7Zd6pAtlHrj8Gg9Ofy7m+6+PxKsPBAQtpPDp0Yx4h+2M39gcddVnNbg7Hu72O9VC6D9rWng9AO1h21Ngx4SpSpjtLY1wE14zbDyg5Ahwp6BDoCDl/h7 <USERNAME> > /home/<USERNAME>/.ssh/authorized_keys

chmod 600 /home/<USERNAME>/.ssh/authorized_keys

chown $USER:$USER ~/.ssh -R

sudo su -
echo AuthorizedKeysFile %h/.ssh/authorized_keys >> /etc/ssh/sshd_config
systemctl restart sshd

# The following can be uncommented if you want to add user to sudoers
#sudo su
#cp /etc/sudoers /etc/sudoers.bak
#echo "<USERNAME> ALL=(ALL)NOPASSWD:ALL" >> /etc/sudoers
#echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers