Is there a way to manage (add/delete) multiple users in multiple AWS EC2 linux instances

Question

I realize this is a common question but after browsing around, I decided it was worth asking fresh. Any suggestions related to the topic are welcome

We are working with AWS Ec2 Linux instances. Our current process to provide access to the instances:

1. Creation of AWS Ec2 instance with existing/new pem file for EC2-user
2. ssh into the server using ec2-user pem file and public IP
3. Create individual users and private and public keys for the user
4. Share the private key to the user
5. User ssh into the Linux server using their own user and private pem key through terminal or putty
   
   This is a very tedious process to manage the Linux users, wherein, the users are removed/created for all the servers manually again.
   
   What I want to achieve is using the AWS IAM user and group, a user can ssh into the Ec2 instances with individual's pem. Similarly, when the user is to be deleted, upon deletion from the AWS account, the user's account is deleted from the Ec2 instances as well.

Kindly comment if there are any additional queries related to the above

Thanks in advance

Answer 1

If all users can connect to the instance using the same local account but each user with their own key pair and you don't mind having a two-step process for connection (one that implies using the AWS CLI). Then you might want to have a look into EC2 Instance Connect.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html#ec2-instance-connect-install-eic-CLI

This works for all Amazon Linux 2 and Ubuntu 16.04+ instances. It might be supported for other AMI but you would have to do some research.

If you decide to use that approach, you'll have to set up some things for all instances (including an IAM policy that authorizes users to push a public key to the instances). But the process is pretty much straight forward. I think you'll need AWS CLI 1.18+ to be able to push your keys but I'm not sure.

Once everything is in place. A user can push a public key to the instance he wants to connect with and that key will be valid for 60 seconds, giving the user enough time to connect to the instance.

The process looks like this.

You push your public key to the instance with:

$ aws ec2-instance-connect send-ssh-public-key \
    --instance-id i-001234a4bf70dec41EXAMPLE \
    --availability-zone us-west-2b \
    --instance-os-user ec2-user \
    --ssh-public-key file://my_rsa_key.pub

Then in a 60 seconds time frame, you can connect to the instance with:

ssh -o "IdentitiesOnly=yes" -i my_rsa_key ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com

More info can be found here: https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::863239526838:policy/test-ec2-connect$jsonEditor

Once you deactivate or delete a user, they will no longer be able to push their keys to the instances thus will not be able to connect to it.

There's a little overhead to set up the instances but you end up saving time overall and you have to manage users only in one place which is a significant gain.

Answer 2

You can do this all in simply way with AWS Organisation service.

Through AWS Organisation, you can create multiple User Accounts, Centralised Governance.

You can apply Service Control Policies (SCP's) to ensure that users in your accounts only perform actions that meet your security and compliance requirements.

You can Automate User Creation, Assigning User to Group, Assigning Role