EIC Endpoint: EC2 Instance access simplified

Authors:?Sangita Sahoo, Solution Architect, Stovl Consulting

Saravanan Mani, VP Technology, Stovl Consulting

?AWS offers two key services to access/manage EC2 Instances from a public address space into the VPC over the internet:

1. EC2 Instance Connect and
2. SSM

Securely accessing a private subnet over the internet was either expensive or fraught with operational overhead. To simplify this process, AWS launched EIC Endpoint.

EC2 Instance access options from AWS Console:??

EC2 Instance Connect uses IAM credentials to push ephemeral SSH keys to an instance making long-lived keys unnecessary.

SSM?uses IAM for authentication and authorization. It is agent-based connectivity to the instance and doesn’t require opening any inbound port, maintaining the bastion host, or managing SSH keys.

To access the instance present in a public subnet, public IP address is required whereas to access the instance present in the private subnet, Bastion host and NAT Gateway are required.?

What is the EIC Endpoint??

In June-2023, Amazon launched a new feature called EIC Endpoint: EC2 Instance Connect Endpoint. It is available as an option in the ‘Connection Type’ in EC2 Instance Connect in the console.

With EIC Endpoint, you are no longer needed IGW in your VPC, a public IP address, bastion host, or any agent to connect to the resource. ?

More about EIC Endpoint:?

Specification:

• EIC Endpoint combines identity-based and network-based access controls, providing the isolation, control, and logging needed to meet your organization’s security requirements. All attempts to connect to the instance, both successful and unsuccessful are logged to CloudTrail. ?

Advantages: ?

• It eliminates the need of hosting EC2 in public subnet/ internet-facing.?
• It also removes the additional cost and operational overhead of maintaining and patching the bastion host for connectivity?
• Creating EIC Endpoint is free of cost. Only the data transfer across the availability zone will be charged additionally?
• EIC works with the Management Console, AWS CLI, Putty, and Open SSH?

Limitation:

• EIC Endpoint is applicable for IPV4 addresses but not applicable to an IPV6 address.

Conclusion: ?

EIC Endpoint provides a secure connection to the instance present in a private subnet via SSH / RDP without the public IP address. It is best suited when your requirement demands security and?cost optimization.?

#cloudsecurity #cloudservices #cloudtechnology #awscertified #aws #cloud #cloudcomputing #amazonwebservices #amazon #awscloud