Skip to content

Latest commit

 

History

History
76 lines (72 loc) · 3.13 KB

File metadata and controls

76 lines (72 loc) · 3.13 KB

AWS EC2 - Create an EC2 Instance Connect Endpoint

  • EC2 Instance Connect Endpoint allows you to connect to an instance without requiring the instance to have a public IPv4 address. You can connect to any instances that support TCP.
  • The purpose of this exercise is to get to know how to connect to EC2 Resources without public IP Address available.

Requirements

  1. Create a VPC with 2 private subnet (No Internet Connectivity)
  2. Create separate 2 Instance in the 2 subnet
  3. Create an Instance Connect Endpoint
  4. Setup IAM Users with Proper Permissions to issue the ec2-instance-connect:OpenTunnel "Action"
  5. Setup your Client (Terminal) with proper tools (latest AWS CLI)
  6. Test Connectivity from AWS Console and from your Client Terminal
  7. Delete the Resources

Desired Architecture (components)

Architecture

Tips and Trics

Connect to the Instance Using Short Lived Keys (preferred method)

aws ec2-instance-connect ssh --instance-id [INSTANCE]

Connect to the Instance Using Traditional SSH Keys

ssh ec2-user@[INSTANCE] \
    -i [SSH-KEY] \
    -o ProxyCommand='aws ec2-instance-connect open-tunnel \
    --instance-id %h'

User Required Permissions

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "EC2InstanceConnect",
            "Action": "ec2-instance-connect:OpenTunnel",
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:region:account-id:instance-connect-endpoint/eice-123456789abcdef",
            "Condition": {
                "NumericEquals": {
                    "ec2-instance-connect:remotePort": "22"
                },
                "IpAddress": {
                    "ec2-instance-connect:privateIpAddress": "10.0.1.0/31"
                }
            }
        },
        {
            "Sid": "SSHPublicKey",
            "Effect": "Allow",
            "Action": "ec2-instance-connect:SendSSHPublicKey",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:osuser": "ami-username"
                }
            }
        },
        {
            "Sid": "Describe",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceConnectEndpoints"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Resources