Securing EC3 Instances

Key Pairs

Key pairs allows you to connect EC2 Instances.

Key pairs can be created two ways:

• During EC2 Deployment

• Witihn the EC2 management console

Deleting Keys

Several reasons for deletion:

• Periodic cycling

• Employee with a key leaving

• Security event resulting in loss of keys or access via keys.

If a key id deleted you can no longer use it to access associated EC2 instances.

This deletes the AWS copy of the key but does not delete the public key for the EC2 instances.

For this reason if you have the private key you can still connect.

Think of this as deleting the key from AWS registry, it does not delete from the instance!!.

You can recover from a lost AWS private key.

↗️ Don't put youself in this situation, but it is possible.

Building a Bastion Host

Keep in mind that a bastion host should only be a bridge into your AWS environment. Nothing more than that.

Some improtant points:

• Pick an OS that is minimial - such as a cutback ubuntu.

• Mimimize the number of processes running on the os - axe what you don't need.

• Update the SSH configuration - such as disavling root access and password authentication.

• Close unncesseary ports.

AWS Session Manager

AWS session manager and a basion server are simular in many ways.

• Session manager does not need a bastion / it uses AWS Systems Manager

• Session manager uses a web based shell

• With session manager AWS handles authentication, no jump host.

• Session manger dosen't require any speical network configuration.

Session manager is better, it provides a more seure and streamlined aproach and reduces the attack surface.