EC2 Instance Connect is an insecure default!

Andreas Wittig – 20 Aug 2019

Two months before, Michael wrote about why AWS SSM is a trojan horse. Shortly after that, AWS released EC2 Instance Connect, which is even worse. If you use Amazon Linux 2 or Ubuntu, the chances are high that everyone in your AWS account can SSH into every EC2 instance!

Rant

Do you prefer listening to a podcast episode over reading a blog post? Here you go!

What is EC2 Instance Connect

EC2 Instance Connect makes your public SSH key available on an EC2 instance using the metadata service. To push your public key to an EC2 instance, you use the SendSSHPublicKey API.

The SSH daemon (sshd) needs to be configured to ask the metadata service for all public keys when someone connects via SSH. This configuration is enabled for you by default on Amazon Linux 2 and Ubuntu AMIs. We discovered this breaking change in November 2018.


Looking for a new challenge?

  • tecRacer

    Cloud Consultant

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Spain, and Switzerland
    AWS only Infrastructure as Code EC2 Containers Serverless
  • tecRacer

    Cloud Migration Specialist

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Spain, and Switzerland
    Lift&Shift Transformation EC2 RDS VPC

How the backdoor works

These three conditions must be met:

  1. Use the official Amazon Linux 2 or Ubuntu AMIs
  2. Allow traffic on port 22. If you used SSH in the past to manage your instances, the port is already open.
  3. Your IAM user or role needs permissions (action ec2-instance-connect:SendSSHPublicKey). Very likely, you have those permissions thanks to managed policies like AdministratorAccessor PowerUserAccess.

You can now open an SSH connection to every EC2 instance in your AWS account.

Protect yourself

If you are not interested in using EC2 Instance Connect, you can do one of the following:

If you want to use EC2 Instance Connect:

  1. Keep your Security Groups as close as possible and use a VPN to connect to your VPC.
  2. Grant the ec2-instance-connect:SendSSHPublicKey action carefully. According to IAM docs, you only can use a condition to restrict the OS user. According to the EC2 Instance Connect docs, you can also restrict access to specific EC2 instances using resource-level permissions. Unfortunately, EC2 Instance tags don’t seem to be supported.

Summary

AWS released a new feature called EC2 Instance Connect. It is enabled by default on Amazon Linux 2 and Ubuntu AMIs. We would appreciate if AWS would ask us - the customers - before they change defaults that increase our security risks. And we would also love to see up-to-date documentation on the IAM configuration. The information is contradictory at the moment, which is not satisfactory when security is at risk!

Become a cloudonaut supporter

Andreas Wittig

Andreas Wittig ( Email, Twitter, or LinkedIn )

We launched the cloudonaut blog in 2015. Since then, we have published 345 articles, 45 podcast episodes, and 37 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

$
Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Jaap-Jan Frans, Jason Yorty, Jeff Finley, Jens Gehring, jhoadley, Johannes Grumböck, John Culkin, Jonas Mellquist, Juraj Martinka, Kamil Oboril, Ken Snyder, Ross Mohan, Ross Mohan, sam onaga, Shawn Tolidano, Thorsten Hoeger, Todd Valentine, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.