How to connect to AWS EC2 serial console without access keys

David

4/12/24, 6:55 AM

My goal is to connect to the serial console of an EC2 instance, using SSH, e.g. from a laptop, using the best modern security practices in setting it up.

The AWS documentation (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-to-serial-console.html) says that IAM User access keys should be avoided when possible (because they are too long-lived, so they're attractive to attack, and cause overhead in rotating and protecting them). One of the alternate methods that it documents is pushing an SSH public key so that the serial console service will accept the corresponding SSH private key -- for a limited time. That all seems to make sense.

To run the AWS CLI to push the public key (aws ec2-instance-connect send-serial-console-ssh-public-key ...), it appears that the AWS CLI profile (in the config or credentials file) must contain IAM access keys corresponding to an IAM User who has the necessary permissions granted:

when I run the CLI command with no access keys, it fails with

Unable to locate credentials. You can configure credentials by running "aws configure".

when I run the CLI command specifying a profile which contains access keys that belong to an IAM User, but that user does not have the permissions, it fails with

An error occurred (AccessDeniedException) when calling the SendSerialConsoleSSHPublicKey operation: User: arn:aws:iam::{my_AWS_account}:user/{my_IAM_user} is not authorized to perform: ec2-instance-connect:SendSerialConsoleSSHPublicKey on resource: arn:aws:ec2:us-west-2:{my_AWS_account}:instance/{my_EC2_instance} because no identity-based policy allows the ec2-instance-connect:SendSerialConsoleSSHPublicKey action

when I run the CLI command with a profile that contains the access keys of an IAM User who does have the necessary permissions, it succeeds

So it seems I should just do the third way. But if the whole point of pushing SSH keys is to cut down on the use of IAM access keys, I haven't achieved that -- at best I've only pushed the access keys one step earlier in the process.

So what is the right way to do this?

440

1 + 0

aws-cli

aws-ec2

Score:0

Server

David

4/13/24, 11:48 PM

In case anyone stumbles on this while pursuing a similar question, here is what seems to be the answer:

Use federation.

More specifically, avoid assigning IAM Users, which will have access keys, to human users; instead, have those humans federated in from your corporate auth system (and I assume, grant permissions to them using IAM Roles).

There is even a section of the IAM User Guide that sheds light on this: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html .

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to connect to AWS EC2 serial console without access keys

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.