0

My goal is to connect to the serial console of an EC2 instance, using SSH, e.g. from a laptop, using the best modern security practices in setting it up.

The AWS documentation (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-to-serial-console.html) says that IAM User access keys should be avoided when possible (because they are too long-lived, so they're attractive to attack, and cause overhead in rotating and protecting them). One of the alternate methods that it documents is pushing an SSH public key so that the serial console service will accept the corresponding SSH private key -- for a limited time. That all seems to make sense.

To run the AWS CLI to push the public key (aws ec2-instance-connect send-serial-console-ssh-public-key ...), it appears that the AWS CLI profile (in the config or credentials file) must contain IAM access keys corresponding to an IAM User who has the necessary permissions granted:

  • when I run the CLI command with no access keys, it fails with

Unable to locate credentials. You can configure credentials by running "aws configure".

  • when I run the CLI command specifying a profile which contains access keys that belong to an IAM User, but that user does not have the permissions, it fails with

An error occurred (AccessDeniedException) when calling the SendSerialConsoleSSHPublicKey operation: User: arn:aws:iam::{my_AWS_account}:user/{my_IAM_user} is not authorized to perform: ec2-instance-connect:SendSerialConsoleSSHPublicKey on resource: arn:aws:ec2:us-west-2:{my_AWS_account}:instance/{my_EC2_instance} because no identity-based policy allows the ec2-instance-connect:SendSerialConsoleSSHPublicKey action

  • when I run the CLI command with a profile that contains the access keys of an IAM User who does have the necessary permissions, it succeeds

So it seems I should just do the third way. But if the whole point of pushing SSH keys is to cut down on the use of IAM access keys, I haven't achieved that -- at best I've only pushed the access keys one step earlier in the process.

So what is the right way to do this?

Improve this question

1 Answer 1

Reset to default
0

In case anyone stumbles on this while pursuing a similar question, here is what seems to be the answer:

Use federation.

More specifically, avoid assigning IAM Users, which will have access keys, to human users; instead, have those humans federated in from your corporate auth system (and I assume, grant permissions to them using IAM Roles).

There is even a section of the IAM User Guide that sheds light on this: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html .

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .