Hacker News new | ask | show | jobs
by scarface74 1320 days ago
> If you wish to provide access via SSH…

Don’t do this. I can’t think of a single reason that anyone ever needs to SSH directly into a server on AWS in 2022.

Use System Manager Session Manager

https://docs.aws.amazon.com/systems-manager/latest/userguide...

Short explanation: it allows you to access a Linux instance via SSH using SSM as an IAM controlled proxy or use RDP for Windows.

You don’t need ingress access to your instance or even egress internet access if your security policies mandate it as long as you set up the correct service endpoints.

Also, just use Control Tower and federate it with your IDP - Active Directory, Okta, etc.
3 comments
datalopers 1320 days ago
A lot of us are busy solving business needs in smaller companies/startups and don't have the time nor expertise to learn every single AWS service and come up with a justification for utilizing it.
link
jacurtis 1320 days ago
A lot of these tools actually make your life easier and faster in the long run.

ControlTower for example. Takes about 30 mins to setup on normal AWS (on GovCloud it was much more complicated, took me half a day). But then setting up new accounts is one click and it’s preconfigured with correct restrictions and security measures, which individually would take several hours per account to do without controltower. So it’s an easy savings from the beginning. The only real cost is the cost of AWS config. So if you’re using that already (for SecurityHub for example) then it’s nothing additional.

IAM Identity Center makes user management not only more secure but faster and easier. It will take half a day to maybe a full day to setup the first time. But now every new user will be a few clicks with access across multiple AWS accounts. You can remove them in one click across all accounts. So these are just really simple additions to your workflow that save you time and improve security.

SSM is another example. It’s adding a policy to your instance role and checking a box (or adding a flag in Terraform or CLI) and it’s enabled. It’s no additional cost. It saves you time because you don’t need to manage user accounts on the server anymore (they are managed broadly through IAM or PermissionSets). No more copying around SSH keys or rotating them when people leave. It improves security and saves you time.

There’s little (if any at all) downside to any of these things. It’s all upside. For the most part, these don’t even have any significant costs associated with them. They are generally provided for free where you’re only cost is the underlying resources that you’re managing, which of course your paying for regardless.

link
jacurtis 1320 days ago
I should add. Which identity center (previously called AWS SSO) you can tie it into your G-Suite or Microsoft 365 and just have it create AWS accounts for new hires as you onboard them by making email accounts. When they leave it automatically removes their access.

Not to mention the quality of life on this tool is incredible. When you truly have tens or hundreds of AWS accounts, the SSO tool makes it so nice to jump between them as an actual user. And I’m actually a huge fan of the CLI integration to get CLI access to any of them with a simple command on the AWS CLI. It’s super slick and will save you probably 5 hours the first week you use it.

We started using it a year ago and it’s been a game changer at our organization. As a user I don’t ever want to go back to normal IAM. Such a pain.

link
raffraffraff 1320 days ago
I understand your frustrations with AWS, and I get that solutions for enterprises don't always work for smaller companies, but when someone describes a solution that reduces operational complexity while increasing security, they should get thanks. It's not their fault that AWS has too many services.
link
marginalia_nu 1320 days ago
I think this is very important and generally poorly understood:

Scaling problems exist both up and down.

In exactly the same way there are solutions that work well in the small but become disproportionately expensive when you scale them up, there are solutions that are cost-effective on a large scale that become prohibitively expensive on a smaller scale.

The latter category includes a large chunk of enterprise-y cloud solutions.

link
scarface74 1320 days ago
Control Tower is literally a click once and it sets everything up for you.
link
raffraffraff 1320 days ago
This is an example of why the basic AWS Cloud Architect Associate exam is a good idea. It's how I learned about ControlTower (after using AWS for years)
link
cjcampbell 1320 days ago
I agree to an extent, though SSH may make sense for break-glass usage. SSM was unavailable during the large scale control plane outage last December, and I saw clients that would have been dead in the water without SSH as an alternative. That said, it's important to really think through how to provide that secondary layer without weakening the overall security posture. It's possible, but it does take work.
link
throwawaaarrgh 1320 days ago
Last I recall, SSMSM gives users root or ec2-user access on the instance? Or does it create new users?
link
scarface74 1320 days ago
I haven’t thought about this. But I did find this.

https://medium.com/@unruly_mood/aws-ssm-sessions-root-non-ro...

link
throwawaaarrgh 1320 days ago
So this is the basic problem: it doesn't give strong isolation for many users. Something like goteleport.com is better if you need lots of people to remote into random machines.
link