• the sshd in your AMI is configured to use password based authentication

The post AWS EC2 – Proceed without Key Pair appeared first on AWS Security Architect.

1. Create your SSM managed EC2 instance (with the SSM agent installed). (SSM agent is pre-installed on AWS AMIs, and needs to be installed on custom AMIs).
2. Use the python script provided in this repo. 
3. Call the python script from a Command line (for testing purposes). Execution : python ec2_volume_snapshot.py <volume_id> <region_name>
4. Once tested from the command line, use a bash script to wrap the python command above. The bash script lives in the SSM doc. It runs on the linux OS on an EC2 that is SSM managed.

Sample python program to call aws backup service and perform a backup

import subprocess
import sys
import boto3

def execute_shell_commands(commands):
MyOut = subprocess.Popen(commands,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
stdout,stderr = MyOut.communicate()

#for command in commands:
command_string = ” “.join(commands)
print(“Command executed : %s” % command_string)
if stdout is not None:
stdout = stdout.decode(“utf-8”)
print(“Stdout :\n%s” % stdout)
if stderr is not None:
stderr = stderr.decode(“utf-8”)
print(“Stderr :\n%s” % stderr)

# Run pre-script
execute_shell_commands([‘sudo’, ‘service’, ‘apache2’, ‘stop’])

volume_id = sys.argv[1]

region_name = sys.argv[2]

ec2 = boto3.resource(‘ec2’, region_name=region_name)
volume = ec2.Volume(volume_id)
snapshot = volume.create_snapshot()
snapshot.wait_until_completed()

ec2_client = boto3.client(‘ec2’, region_name=region_name)
snapshot_details = ec2_client.describe_snapshots(SnapshotIds=[snapshot.id])
print(“Snapshot details :\n%s” % snapshot_details)

# Run post-script
execute_shell_commands([‘sudo’, ‘service’, ‘apache2’, ‘start’])
execute_shell_commands([‘sudo’, ‘service’, ‘apache2’, ‘status’])

Sample bash script (in SSM doc) to call a python command

#!/bin/bash

MYSTRING="Do something in bash"
echo $MYSTRING

python - << EOF
myPyString = "Do something on python"
print myPyString

EOF

echo "Back to bash"

The post AWS Backups using SSM doc and bash appeared first on AWS Security Architect.

This is a brief post on how to connect to a completely cut off EC2 instance – which is in a private subnet and also has a no ingress Security Group attached.

Attach the SSM Managed Policy to the EC2 instance

Launch and Test the Instance

• From the EC2 console, launch an EC2 instance (Windows Server)
• Create  a private subnet with no Internet Gateway
• Create a security group with no ingress ports
• Configure or attach with no-ingress security group, and the SSM IAM role created earlier
• Ensure that the Windows EC2 instance has SSM Agent running by viewing it in AWS Systems Manager
• Connect to source EC2 instance via “EC2 Connect”
• Apply this command for enabling AWS SSM Port forwarding option to a local port (We are mapping the remote desktop port of windows EC2 port 3389 to 3340 of the localhost)

aws ssm start-session --target <<windows-ec2-instanceid>> --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"],"localPortNumber":["<<desiredPortNumber>>"]}' --region <<region-where-ec2-launched>> Testing it out Telnet to Port(3640 in this example) telnet localhost 3690

Summary

No Ingress EC2 instances are a great way to protect access to your instances on AWS. For an advanced security consultation, please Contact AWS Security Architect

The post AWS SSM Connect for no ingress EC2 instances appeared first on AWS Security Architect.

Here are a couple of simple, yet often ignored, best practices around EC2 instance access.

Access to EC2 instances via Systems Manager Only (Management Access)

• Management of EC2 instances should be via Systems Manager (SSM).  
• No Ingress EC2 instances to be created with SSM enabled. 
• This saves the whole headache of whitelisting allowed IP Addresses to manage EC2 instances

No Public IP on EC2 Instances  (Public/End User Access)

EC2 Instances that need to be public facing should be front ended with a Load Balancer. A load balancer should expose the public IP, instead of the EC2.  

Summary

IaaS based Compute is the most used service alongside Storage.  Protecting Management Level access as well as public access is key to these instances is key to ensuring a secure AWS environment.

For an advanced security consultation, please Contact AWS Security Architect

The post Protecting EC2 instances on AWS – Basic EC2 Security appeared first on AWS Security Architect.