Reputation: 13
Is there a way to manage (add/delete) multiple users in multiple AWS EC2 linux instances
I realize this is a common question but after browsing around, I decided it was worth asking fresh. Any suggestions related to the topic are welcome
We are working with AWS Ec2 Linux instances. Our current process to provide access to the instances:
- Creation of AWS Ec2 instance with existing/new pem file for EC2-user
- ssh into the server using ec2-user pem file and public IP
- Create individual users and private and public keys for the user
- Share the private key to the user
- User ssh into the Linux server using their own user and private pem key through terminal or putty
This is a very tedious process to manage the Linux users, wherein, the users are removed/created for all the servers manually again.
What I want to achieve is using the AWS IAM user and group, a user can ssh into the Ec2 instances with individual's pem. Similarly, when the user is to be deleted, upon deletion from the AWS account, the user's account is deleted from the Ec2 instances as well.
Kindly comment if there are any additional queries related to the above
Thanks in advance
Upvotes: 1
Views: 1193
Answers (2)
Reputation: 3324
If all users can connect to the instance using the same local account but each user with their own key pair and you don't mind having a two-step process for connection (one that implies using the AWS CLI). Then you might want to have a look into EC2 Instance Connect.
This works for all Amazon Linux 2 and Ubuntu 16.04+ instances. It might be supported for other AMI but you would have to do some research.
If you decide to use that approach, you'll have to set up some things for all instances (including an IAM policy that authorizes users to push a public key to the instances). But the process is pretty much straight forward. I think you'll need AWS CLI 1.18+ to be able to push your keys but I'm not sure.
Once everything is in place. A user can push a public key to the instance he wants to connect with and that key will be valid for 60 seconds, giving the user enough time to connect to the instance.
The process looks like this.
You push your public key to the instance with:
$ aws ec2-instance-connect send-ssh-public-key \
--instance-id i-001234a4bf70dec41EXAMPLE \
--availability-zone us-west-2b \
--instance-os-user ec2-user \
--ssh-public-key file://my_rsa_key.pub
Then in a 60 seconds time frame, you can connect to the instance with:
ssh -o "IdentitiesOnly=yes" -i my_rsa_key [email protected]
More info can be found here: https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::863239526838:policy/test-ec2-connect$jsonEditor
Once you deactivate or delete a user, they will no longer be able to push their keys to the instances thus will not be able to connect to it.
There's a little overhead to set up the instances but you end up saving time overall and you have to manage users only in one place which is a significant gain.
Upvotes: 2
Reputation: 17655
You can do this all in simply way with AWS Organisation service.
Through AWS Organisation , you can create multiple User Accounts , Centralised Governance.
You can apply Service Control Policies (SCP's) to ensure that users in your accounts only perform actions that meet your security and compliance requirements.
You can Automate User Creation, Assigning User to Group , Assigning Role
Upvotes: 0
Related Questions
- EC2 Create new Linux user(s) with their OWN Key Pairs?
- How do you give access to several users to one EC2 instance?
- How to manage EC2 key pairs for multiple users?
- elastic beanstalk ssh - multiple users
- How to manage multiple IAM users on a single EC2 instance?
- Multiple users connecting to AWS EC2 via SSH
- User creation in EC2 instances
- Creating EC2 Access w/ PEM Keys For Other Users
- Managing multiple AWS accounts on the same computer
- How best to have many users control EC2 instances?