AWS EC2 Login - HackMD

###### tags: `AWS` # AWS EC2 Login ## 序 https://www.ecloudture.com/%E9%80%A3%E7%B7%9A%E8%87%B3ec2%E7%9A%84%E4%B8%89%E7%A8%AE%E6%96%B9%E6%B3%95%E8%88%87%E6%AF%94%E8%BC%83-ssh%EF%BC%8Cec2%E5%AF%A6%E4%BE%8B%E9%80%A3%E6%8E%A5%EF%BC%8C%E7%B3%BB%E7%B5%B1%E7%AE%A1%E7%90%86/ ## 使用Sessions Manager做為登入控管主要教學:https://kkc.github.io/2020/04/11/aws-ssm-session-manager-note/ ### EC2 安裝SSM代理程式 1. 利用snap安裝: `sudo snap install amazon-ssm-agent --classic` 2. 執行下列命令來判斷 SSM 代理程式是否在執行。 `sudo snap list amazon-ssm-agent` 3. 若之前的命令傳回 amazon-ssm-agent is stopped、inactive 或 disabled.，請執行以下命令，以啟動服務。 `sudo snap start amazon-ssm-agent` 4. 檢查代理程式的狀態。 `sudo snap services amazon-ssm-agent` https://docs.aws.amazon.com/zh_tw/systems-manager/latest/userguide/agent-install-ubuntu.html 確認instance有SSM代理程式後，要去IAM create一個role，可以直接使用內建的政策：AmazonSSMManagedInstanceCore 來建立 IAM 角色。並將此 IAM 角色給予該主機。 Create Role 1. 預設就有了，直接選取AmazonSSMManagedInstanceCore即可 ### Local 1. 安裝AWS CLI: Doc: https://docs.aws.amazon.com/zh_tw/cli/latest/userguide/install-cliv2-windows.html `https://awscli.amazonaws.com/AWSCLIV2.msi` 驗證: `aws --version` 2. 安裝Session Manger Plugin `https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe` 安裝完後設定環境變數 `setx C:\%PROGRAMFILES%\Amazon\SessionManagerPlugin\bin\` 驗證: `session-manager-plugin` 3. AWS configure 需要在本地端連結AWS帳戶進入IAM，選擇自己的Users 點選security credentials 點選create access key 會產生一組 access_key和secret 回local terminal並輸入: ``` $ aws configure AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-west-2 Default output format [None]: json ``` 連線指令: `aws ssm start-session --target 'instance-id'` ## 使用Instance Connect 做登入控管 (AWS CLI) ### EC2 1. 安裝EC2 Instance Connect `sudo apt-get install ec2-instance-connect` 2. create role ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2-instance-connect:SendSSHPublicKey", "Resource": "arn:aws:ec2:ap-northeast-1:204075225894:instance/i-0b8d902d8f3ac4de9", "Condition": { "StringEquals": { "ec2:osuser": "william" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*" } ] } ``` 修改Your-Region-1和ACCOUNTID 完成後attach給user或group ### Local 1. 安裝Instnace Connect CLI 因為是使用pip安裝，故本機須先安裝python 安裝pip: https://www.maxlist.xyz/2019/07/13/pip-install-python/ `pip install ec2instanceconnectcli` 2. 安裝AWS CLI: Doc: https://docs.aws.amazon.com/zh_tw/cli/latest/userguide/install-cliv2-windows.html `https://awscli.amazonaws.com/AWSCLIV2.msi` 驗證: `aws --version` 3. AWS configure 需要在本地端連結AWS帳戶進入IAM，選擇自己的Users 點選security credentials 點選create access key 會產生一組 access_key和secret 回local terminal並輸入: ``` $ aws configure AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-west-2 Default output format [None]: json ``` 連線指令: `mssh ubuntu@instance-id` ###