Exploring EC2 Instance Connect for SSH Connectivity Without Public IP

I am excited to introduce you to the fascinating world of EC2 Instance Connect. In this blog, we will delve into the concept of establishing secure SSH connectivity to Amazon EC2 instances without the need for a public IP address. Join me on this journey as we explore the benefits, implementation considerations, and best practices of leveraging EC2 Instance Connect to enhance security and streamline remote access to your EC2 instances. Get ready to unlock a new level of secure and efficient connectivity in the cloud!

What is EC2 Instance Connect:

EC2 Instance Connect provides a solution by allowing SSH access to EC2 instances without requiring a public IP address. Instead of relying on a public IP, EC2 Instance Connect establishes secure connections through private network paths, ensuring that access to the instance is restricted to authorized users while maintaining a high level of security. This capability is particularly useful for instances located in private subnets or network environments where isolation from the internet is crucial to mitigate potential security risks.

Possible Business Use Case:

A possible business use case for EC2 Instance Connect, where a public IP is not required for SSH connectivity, is in a highly secure environment where instances are isolated within a private network. Here’s how it can benefit businesses:

1. Increased Security:?By removing the need for a public IP, EC2 Instance Connect helps minimize the attack surface of instances. They remain inaccessible from the public internet, reducing the risk of unauthorized access, brute-force attacks, or exposure to malicious actors.
2. Private Subnet Isolation: In secure environments, instances often reside within private subnets of a Virtual Private Cloud (VPC). EC2 Instance Connect allows SSH connections to these instances without requiring them to have a public IP address, ensuring they remain isolated and inaccessible from external networks.
3. Controlled Access: EC2 Instance Connect leverages IAM roles and permissions for authentication and authorization. Administrators can define fine-grained policies to control who can access the instances. This enables controlled and auditable access management, enhancing security and compliance.
4. Reduced Network Exposure: Without a public IP, instances are shielded from the internet, mitigating the risk of unauthorized network traffic and potential vulnerabilities. This setup aligns with the principle of least privilege and reduces the potential for external threats to exploit open ports or services.
5. Simplified Connectivity: EC2 Instance Connect simplifies the SSH connectivity process by eliminating the need for managing and distributing SSH key pairs. Users can connect to instances securely using their existing AWS credentials, streamlining the access workflow and reducing administrative overhead.
6. Secure Collaboration: In scenarios where collaboration with external parties or partners is required, EC2 Instance Connect allows secure remote access to instances without exposing them to the public internet. This enables controlled and audited collaboration while maintaining a high level of security.

Environment Details For This Walkthrough

• A local On-Prem Instance outside of Amazon VPC.
• An instance running in Amazon VPC Private Subnet.

Architecture

Pre-requisites:

• AWS Account: You should have an active AWS account with appropriate permissions to create and manage EC2 instances, IAM roles, and IAM policies.
• If you’re using the AWS CLI, make sure that you have configured the AWS CLI, including the credentials that it uses, and that you’re using the latest version of the AWS CLI. For more information, see?Installing or updating the latest version of the AWS CLI?and?Configuring the AWS CLI?in the?AWS Command Line Interface User Guide.
• EC2 Instances: Set up one or more Amazon EC2 instances in your desired configuration. These instances should be located within a private subnet and should not have a public IP address.
• VPC Configuration: Create a Virtual Private Cloud (VPC) and configure the necessary subnets, route tables, and security groups to support your private subnet where the EC2 instances are deployed.
• IAM Roles and Policies: Define and configure IAM roles with the necessary permissions to use EC2 Instance Connect. These roles should allow users to assume the role and request connections to EC2 instances.

IAM Recommendations:

Define Permissions: Start by identifying the specific actions and resources you want to control. For EC2 Instance Connect, the relevant actions include?ec2-instance-connect:SendSSHPublicKey?and?ec2-instance-connect:SendSerialConsoleSSHPublicKey. Determine which instances or instance types should be accessible and limit the actions accordingly.

Specify Resource ARNs: To target specific resources, use Amazon Resource Names (ARNs) in your IAM policy. You can specify instance ARNs to allow access to particular instances or use wildcards to cover multiple instances.

Leverage Condition Keys: Condition keys in IAM policies allow for additional control based on various factors. You can set conditions such as IP address ranges, VPC IDs, instance tags, or IAM user/role attributes to further restrict access to EC2 instances.

Grant IAM Role Permissions: Grant the necessary permissions to IAM roles that users assume to connect to EC2 instances. Use the?ec2-instance-connect:SendSSHPublicKey?action to enable SSH access or the?ec2-instance-connect:SendSerialConsoleSSHPublicKey?action for Serial Console access. Ensure that the role has the appropriate policies attached for EC2 Instance Connect actions.

Restrict Actions and Resources: To restrict access, use the?Deny?effect in your IAM policy. You can explicitly deny certain actions or resources to specific IAM users, roles, or groups. This helps enforce more restrictive access controls and prevents unintended access to EC2 instances.

Test and Verify: Before applying the IAM policy, thoroughly test it to ensure that the desired access restrictions are in place. Use different IAM users or roles to verify that the policy effectively controls access to EC2 Instance Connect.

• EC2 Instance Connect Service Availability: Confirm that the EC2 Instance Connect service is available in the AWS Region where your EC2 instances are located. EC2 Instance Connect is available in most AWS Regions, but it’s always a good practice to verify its availability beforehand.
• SSH Client: Set up an SSH client on your local machine or the machine from which you will be initiating the SSH connections. Ensure that the SSH client is configured and compatible with EC2 Instance Connect.

Let’s Get Started

1- Create EC2 Instance Connect Endpoint

• In VPC, on the left panel, Click on Endpoint

• Select “EC2 Instance Connect Endpoint” as Service Category.

• Give a name to the endpoint and select the VPC, in which you want to create this endpoint along with subnet and security group details, where you have whitelisted ssh port.

• After Clicking on Create endpoint, allow it some time to become available.

• Create an Ec2 Instance without a public IP association. Attached respective subnet and security group with this ec2.
• Wait for the Instance to become available.

• Configure your IAM access on your local machine.

You can refer following link for IAM policy creation.

• You can use IAM Role Anywhere service for generating credentials with the required permission.

Refer to the link mentioned for implementation steps.

Connectivity Test

From SSH

You can use SSH to connect to your Linux instance and use the?open-tunnel?command to establish a private tunnel. You can use?open-tunnel?in single-connection or multi-connection mode.

For information about using the AWS CLI to connect to your instance using SSH, see?Connect to your Linux instance using the AWS CLI.

The following examples use?OpenSSH. You can use any other SSH client that supports a proxy mode.

Single connection

To allow only a single connection to an instance using SSH and the?open-tunnel?command

Use?ssh?and the?open-tunnel?AWS CLI command is as follows. The?-o?proxy command encloses the?open-tunnel?the command that creates the private tunnel to the instance.

ssh -i my-key-pair.pem ec2-user@i-0123456789example \
    -o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-0123456789example'        

For:

• -i?– Specify the key pair that was used to launch the instance.
• ec2-user@i-0123456789example?– Specify the username of the AMI that was used to launch the instance, and the instance ID.
• --instance-id?– Specify the ID of the instance to connect to. Alternatively, specify?%h, which extracts the instance ID from the user.

Multi-connection

To allow multiple connections to an instance, first run the?open-tunnel?AWS CLI command to start listening for new TCP connections, and then use?ssh?to create a new TCP connection and a private tunnel to your instance.

To allow multiple connections to your instance using SSH and the?open-tunnel?command

1. Run the following command to start listening for new TCP connections on the specified port on your local machine

• aws ec2-instance-connect open-tunnel \ --instance-id?i-0123456789example?\ --local-port?8888

2. In a?new terminal window, run the following?ssh?command to create a new TCP connection and a private tunnel to your instance.

ssh -i my-key-pair.pem ubuntu@localhost -p 8888        

From Amazon EC2 Console

You can connect to an instance using the Amazon EC2 console by selecting the instance from the console and choosing to connect using EC2 Instance Connect, which handles the permissions and provides a successful connection.

To connect to your instance using the browser-based client from the Amazon EC2 console

1. Open the Amazon EC2 console at?https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose?Instances.
3. Select the instance, choose?Connect, and then do the following:

Note: For?Max tunnel duration (seconds), enter the maximum allowed duration for the SSH connection.

The duration must comply with the?maxTunnelDuration?condition specified in the IAM policy. If you don't have access to the IAM policy, ask your administrator to verify it. If?maxTunnelDuration?is not specified in the IAM policy, enter the default, which is?3600?seconds (1 hour).

4. A new tab will be opened in your browser and the ssh terminal will be available for your use.

Recommendations for using EC2 Instance Connect

Here are some recommendations for using the EC2 Instance Connect service effectively:

1. Implement Just-In-Time Access: Leverage EC2 Instance Connect to enable just-in-time access to your EC2 instances. Grant access to specific users for a limited duration when they need it, reducing the exposure of your instances to potential security risks.
2. Use IAM Roles for Access Control: Assign IAM roles to users who require access to EC2 instances via EC2 Instance Connect. This allows for centralized access control and eliminates the need to manage individual SSH keys for each user.
3. Enable Multi-Factor Authentication (MFA): Strengthen the security of EC2 Instance Connect by enabling MFA for IAM users. By requiring an additional authentication factor, such as a token or biometric verification, you add an extra layer of protection to prevent unauthorized access.
4. Follow the Least Privilege Principle: Apply the principle of least privilege when configuring IAM policies for EC2 Instance Connect. Grant only the necessary permissions required for users to connect to instances, avoiding excessive privileges that could potentially be abused.
5. Regularly Rotate SSH Keys: Rotate SSH keys used for EC2 Instance Connect connections on a regular basis. This practice mitigates the risk of compromised keys and enhances overall security.
6. Monitor and Audit Access: Enable logging for EC2 Instance Connect sessions and integrate the logs with AWS CloudTrail or other monitoring solutions. This allows you to track and audit access events, detect any suspicious activity, and ensure compliance with security policies.
7. Stay Updated: Keep up-to-date with the latest features, security enhancements, and best practices for EC2 Instance Connect. Regularly review AWS documentation, and security advisories, and participate in relevant forums to stay informed about new developments.
8. Test and Validate: Before deploying EC2 Instance Connect in a production environment, thoroughly test the service in a controlled setting. Verify that the access controls, IAM policies, and SSH connectivity are functioning as expected.

Reference Link

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
• https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

Billing

There is no additional cost for using EIC endpoints. Standard data transfer charges apply

Conclusion

In conclusion, EC2 Instance Connect is a valuable service provided by Amazon Web Services (AWS) that simplifies and secures SSH connectivity to Amazon EC2 instances. By leveraging EC2 Instance Connect, you can establish encrypted SSH connections to your EC2 instances without requiring them to have a public IP address. This enables enhanced security by reducing the attack surface and minimizing exposure to the public internet. To learn more, visit the?EIC Endpoint documentation.