Let’s dive into the EC2 Key Pairs and unravel how they facilitate secure access to EC2 instances.
Understanding EC2 Key Pairs:
When provisioning an EC2 instance, users have the option to create an EC2 Key Pair, which comprises a private key and a public key. The private key is downloaded onto the user’s machine upon creation, while AWS retains a copy of the public key.
During an SSH session, the private key is presented to the EC2 instance, which validates it against the stored public key in the authorized_keys file within the SSH directory on the root EBS volume. This process ensures that only authorized users with the corresponding private key can access the EC2 instance securely. It’s paramount to safeguard the private key, as its compromise could lead to unauthorized access to EC2 instances. Unfortunately, lost private keys cannot be recovered. However, users have the flexibility to generate private keys outside of AWS and upload them.
Key Pair Deletion:
Deleting a Key Pair from the EC2 console removes it from the console interface but does not affect the EC2 instances themselves. The public key remains on any EC2 instances associated with the Key Pair. Launching an AMI with a new public key alongside an existing one results in both keys being available for SSH authentication.
Responding to Compromised Private Keys:
In the event of a compromised private key, swift action is required. Begin by removing all compromised public keys from the authorized_keys file on affected EC2 instances. Subsequently, create a new Key Pair and add the new public key to the authorized_keys file on all relevant instances. Automating the process of managing EC2 Key Pairs is facilitated by the SSM Run Command utility.
Deeper understanding of EC2 Instance Connect
Picture this: you have an EC2 instance running with a web browser accessible via its public IP. On this instance, the EC2 Instance Connect agent operates to facilitate secure SSH connections. When initiating an SSH connection through EC2 Instance Connect, whether via the EC2 console or CLI, the EC2 Instance Connect API comes into play. This API dynamically generates a private key, valid only for 60 seconds, and injects the corresponding public key into the EC2 instance metadata.
As part of the SSH process, the EC2 instance SSH daemon checks both the authorized keys file and the instance metadata for authorized keys. Since the EC2 Instance Connect service has injected the public key into the instance metadata, SSH authentication succeeds, granting access to the instance.
To enable EC2 Instance Connect, ensure that port 22 (SSH) is open inbound on the EC2 instance’s security group. The source IP should correspond to the AWS IP range for the EC2 Instance Connect service. You can find this IP range for your region in the AWS IP ranges URL.
Losing access to your EC2 instance due to a lost SSH key pair can be a stressful situation, but there are several methods to regain access. Let’s explore a few of them:
1. EC2 User Data:
Utilize the EC2 User Data feature to add a new public key to your instance. Simply create a new key pair, stop the instance, update the EC2 User Data with the new public key, and start the instance again. This method adds authorized keys without deleting existing ones.
2. Systems Manager:
Leverage Systems Manager automation to create and store a new key pair. Run an automation, such as AWSSupport-ResetAccess, to generate a new key pair, store the private key in Parameter Store, and add the corresponding public key to the instance. Retrieve the private key from Parameter Store to regain access.
3. EC2 Instance Connect Service:
If your instance has the EC2 Instance Connect agent installed, use the EC2 Instance Connect Service. Connect to the instance via EC2 Instance Connect, and then write a new SSH public key to the authorized keys file, enabling direct connection from your computer.
4. EBS Volume Swap:
User the EBS Volume Swap technique for a more involved solution. Create a new key pair, stop the original instance, detach its EBS root volume, and attach it to a new instance. Modify the authorized keys file on the attached volume, detach it, reattach it to the original instance, and restart the instance to regain access.
Recovering a Windows EC2 instance with a lost password is a manageable task. Let’s explore several methods to regain access:
1. EC2Launch v2 Service:
- If the Windows AMI utilizes the EC2Launch v2 service, simply detach the EBS root volume and attach it to a temporary EC2 instance running Windows.
- Delete the “run-once” file on the secondary volume to prompt the old EC2 instance to reset, believing it’s the first boot.
- Reattach the volume, restart the instance, and set a new password when prompted, effectively recovering access.
2. EC2Config Service (for older AMIs):
- For older Windows AMIs (pre-Windows Server 2016) using the EC2Config service, create a new EC2 instance.
- Modify the EC2Config XML file to enable the EC2 set password variable.
- Restart the previous instance, set a new password when prompted, and regain access to the EC2 instance.
3. EC2Launch (for Windows Server 2016 and later AMIs):
- For AMIs using EC2Launch but not upgraded to EC2Launch v2, download and install the EC2Rescue Tool for Windows Server.
- Utilize the “Reset Administrator Password” option in the EC2Rescue Tool to reset the administrator password.
- Reattach the volume to the previous EC2 instance, restart it, and access the instance with the new admin password.
4. Systems Manager (SSM):
- Ensure the EC2 instance running Windows has the SSM Agent installed.
- Use various Systems Manager methods:
- AWSSupport-RunEC2RescueForWindows Tool: Installs the EC2Rescue Tool to reset access.
- ResetAccess Automation Document: Automated access reset.
- RunPowerShellScript Run Command Document: Set the administrator password to a predefined value, like “Password@123”.