When you launch a new Amazon EC2 instance from a standard AMI, you can access that instance using secure remote system access protocols, such as Secure Shell (SSH), or Windows Remote Desktop Protocol (RDP). You must successfully authenticate at the operating-system level before you can access and configure the Amazon EC2 instance to your requirements. After you have authenticated and have remote access into the Amazon EC2 instance, you can set up the operating system authentication mechanisms you want, which might include X.509 certificate authentication, Microsoft Active Directory, or local operating system accounts. To enable authentication to the EC2 instance, AWS provides asymmetric key pairs, known as Amazon EC2 key pairs. These are industry-standard RSA key pairs. Each user can have multiple Amazon EC2 key pairs, and can launch new instances using different key pairs. EC2 key pairs are not related to the AWS account or IAM user credentials discussed previously. Those credentials control access to other AWS services; EC2 key pairs control access only to your specific instance. You can choose to generate your own Amazon EC2 key pairs using industry- standard tools like OpenSSL. You generate the key pair in a secure and trusted environment, and only the public key of the key pair is imported in AWS; you store the private key securely. We advise using a high-quality random number generator if you take this path. You can choose to have Amazon EC2 key pairs generated by AWS. In this case, both the private and public key of the RSA key pair are presented to you when you first create the instance. You must download and securely store the private
Amazon Web Services – AWS Security Best Practices August 2016 Page 24 of 74 key of the Amazon EC2 key pair. AWS does not store the private key; if it is lost you must generate a new key pair. For Amazon EC2 Linux instances using the cloud-init service, when a new instance from a standard AWS AMI is launched, the public key of the Amazon EC2 key pair is appended to the initial operating system user’s ~/.ssh/authorized_keys file. That user can then use an SSH client to connect to the Amazon EC2 Linux instance by configuring the client to use the correct Amazon EC2 instance user’s name as its identity (for example, ec2-user), and providing the private key file for user authentication. For Amazon EC2 Windows instances using the ec2config service, when a new instance from a standard AWS AMI is launched, the ec2config service sets a new random Administrator password for the instance and encrypts it using the corresponding Amazon EC2 key pair’s public key. The user can get the Windows instance password by using the AWS Management Console or command line tools, and by providing the corresponding Amazon EC2 private key to decrypt the password. This password, along with the default Administrative account for the Amazon EC2 instance, can be used to authenticate to the Windows instance.
You've reached the end of your free preview.
Want to read all 79 pages?
- Spring '17
- Amazon Web Services, AWS, Amazon Elastic Compute Cloud, AWS Security Best