AWS Network & Security { Part - IV }
Using AWS Key Pairs for Secure Access : A Simple Guide
What is a Key Pairs in AWS EC2
Definition : A set of security credentials required to authenticate access to EC2 instances is called a key pair in AWS EC2.
Components : It consists of a public key and a private key.
Purpose : The key pair makes sure that the EC2 instances can only be accessed by authorized users.
Key Features of Key Pairs
Secure Access : Gives access to EC2 instances in a secure manner.
Public-Private Key Encryption : Protects communication by using asymmetric encryption.
SSH Access : frequently used to access Linux instances using SSH (Secure Shell).
Integration : For increased security, it can be combined with other AWS services.
No Passwords : Eliminates the requirement for authentication with a password.
How Key Pairs Work
Generation Process :
Public Key : The public key is generated by AWS and is kept on the EC2 instance.
Private Key : You can download the private key from AWS. Because AWS does not keep a copy, it is essential that you store it safely.
SSH Connection :
Client-Side : The SSH client (such as PuTTY or OpenSSH) is used to establish a connection with an EC2 instance.
Private Key Usage : An encryption request for a session initiation is made by the SSH client using the private key.
Public Key Verification : If the private key and the saved public key match, the EC2 instance establishes a secure connection.
Session Establishment :
- Symmetric Key Exchange : Following the first verification, the SSH protocol creates a session-specific symmetric encryption key to guarantee the security of any data transferred.
Encryption and Decryption :
Data Encryption : The public key is used to encrypt data that is transferred to the EC2 instance.
Data Decryption : This data can only be decrypted with the matching private key, guaranteeing that intercepted data cannot be viewed without the private key.
Login Process :
Authorized Keys File : On Linux instances, the public key is added to the
~/.ssh/authorized_keys
file of the specified user.Access Control : Only users with the private key that matches the public key in the
authorized_keys
file can log in.
Key Pair Storage :
AWS Storage : AWS stores only the public key.
User Responsibility : It is the user's responsibility to safely store and handle the private key.
No Passwords Needed :
- Key-Based Authentication : Eliminates the need for passwords, reducing the risk of password-related vulnerabilities.
Revocation and Rotation :
Key Revocation : If a private key is compromised, you can revoke access by removing the corresponding public key from the
authorized_keys
file.Key Rotation : Updating key pairs on a regular basis reduces the possibility of key compromise. The following blogs will provide us with important updates. How can we make a new key and attach it to the EC2 instance, for instance, if we delete the original key file by any chance?
Creating a Key Pair During Instance Launch
AWS Management Console :
Step 1 : Launch Instance :
Go to the EC2 dashboard.
Click on "Launch Instance".
Step 2 : Choose an Amazon Machine Image (AMI) :
- Select an AMI that suits your needs (e.g., Amazon Linux 2, Ubuntu).
Step 3 : Choose an Instance Type:
- Select the instance type (e.g., t2.micro).
Step 4 : Configure Key Pair :
Create a New Key Pair:
select "Create new key pair".
Provide a name for your key pair.
Choose the key pair file format:
PEM (for SSH clients).
PPK (for PuTTY).
Click on "Create key pair".
Download the private key file (.pem or .ppk). Save it securely, as you won't be able to download it again.
Use an Existing Key Pair:
If you already have a key pair, you can select it from the "Key pair name" dropdown list.
You can create the Key pair by navigate to the EC2 dashboard, choose "Key Pairs," and create a new key pair.
Step 5 :
Configure other details :
- Like security groups , storage , number of instances, advance details.
Best practices for Key Pairs
Secure Storage :
Encryption : Use tools like AWS KMS or other third-party solutions to store private keys in an encrypted format.
Access Control : Limit who has access to the private key to those who actually need it.
Regular Rotation :
Schedule Key Rotations : Rotate important pairs on a regular basis to reduce the chance of long-term exposure.
Automate Rotation : To automate key distribution and rotation, use tools or scripts.
Backup :
Secure Backup : Private key backups should be stored in safe, encrypted places.
Disaster Recovery : Make sure your disaster recovery plan includes backups.
Access Control :
Least Privilege Principle : Give people only the minimal amount of rights they need to complete their tasks.
IAM Policies : To restrict who can generate, use, and maintain key pairs, utilize AWS IAM policies.
Monitoring and Auditing :
Log Access : To keep track of who accesses and uses your key pairs, enable logging.
Review Logs : Check logs on a regular basis for any odd or unwanted access attempts.
Key Pair Management :
Tagging : To make managing key pairs easier, use tags to identify and arrange them.
Documentation : Keep records of the creation dates and usage contexts for each key pair.
Environment Segregation :
Separate Keys for Different Environments : To isolate access, use different key pairs for development, testing, and production environments.
Project-specific Keys : Limit the scope of access by creating key pairs that are unique to teams or projects.
Emergency Access Procedures :
Backup Admin Key : Maintain a safe backup pair of administrative keys for access in case of emergency.
Emergency Plans : Create and record protocols for handling compromised key pairs.
Avoid Hardcoding Keys :
Configuration Management : Instead of hardcoding keys into scripts or apps, use configuration management technologies to control key distribution.
Environment Variables : Save key paths in secure configuration stores or environment variables.
Use Cases
SSH Access : Secure SSH access to EC2 instances running Linux/Unix.
Remote Administration : Remote server management and administration.
Automated Scripts : Deployment scripts that are automated yet need protected access.
Multi-Factor Authentication : Multi-factor authentication for instance access enhances security.
Pros and Cons
Pros :
Enhanced Security : Offers a high degree of protection while gaining access to instances.
Simplicity : Easy to set up and use.
No Passwords : Reduces the risk of password-related attacks.
Cons :
Key Management : Requires that private keys be handled and stored with caution.
Loss of Key : You risk being locked out of the instance if you misplace the private key.
Initial Setup : Requires initial setup and configuration.
Conclusion
Summary : EC2 instances must be accessed securely using AWS Key Pairs, which use public-private key encryption for strong security.
Recommendation : Make key pairs a crucial component of your cloud security plan by sticking to best practices to ensure their safe and effective use.