{"id":2547,"date":"2017-12-18T09:21:56","date_gmt":"2017-12-18T15:21:56","guid":{"rendered":"http:\/\/www.mooreds.com\/wordpress\/?p=2547"},"modified":"2017-12-18T09:21:56","modified_gmt":"2017-12-18T15:21:56","slug":"running-servers-in-aws-without-ssh-access","status":"publish","type":"post","link":"https:\/\/www.mooreds.com\/wordpress\/archives\/2547","title":{"rendered":"Running servers in AWS without SSH access"},"content":{"rendered":"

When you allow SSH access to your server, the user sshing can do many things.\u00a0 You can restrict their access with a tool like sudo<\/a> or chroot<\/a>, but at the end of the day, the user has access to the system and may be able to find a way to escalate their privileges.\u00a0 It’d be simpler if no one could login to the server at all, but how would you configure the server to actually be useful?<\/p>\n

With AWS and the AWS Systems Manager<\/a>, you can install an agent (open source<\/a>, under the Apache License) on your ec2 servers (perhaps via userdata<\/a> at boot time) and run all your commands via this AWS managed service.\u00a0 That means you never have to have an ssh server running.<\/p>\n

What about limiting what users can do?\u00a0 You have the full power of IAM to limit who can do what to which servers.\u00a0 Here’s how you can use tagging to limit on which servers someone can run a command<\/a>.<\/p>\n

What about installing applications?\u00a0 Uou can use userdata or the ec2 run command.<\/p>\n

What about logfiles of those applications?\u00a0 You can send your logfiles up to a log aggregation service like cloudwatch logs<\/a> or splunk.\u00a0 It’ll be easier to manage logfiles centrally anyway.\u00a0 If you use cloudwatch logs, don’t forget to move your logfiles to s3<\/a> and then expire them<\/a>, otherwise you’ll pay more than you should.<\/p>\n

What about system updates (patches, etc)?\u00a0 There’s a patch manager<\/a>.<\/p>\n

What about troubleshooting?\u00a0 You can use the ec2 run command to execute arbitrary commands<\/a> and get the response back.<\/p>\n

If you lock down the ec2 run command, then suddenly you have a lot less attack surface.\u00a0 No one can login to your AWS instances and nose around or run arbitrary commands to see what software is present or what security measures are in place.<\/p>\n","protected":false},"excerpt":{"rendered":"

When you allow SSH access to your server, the user sshing can do many things.\u00a0 You can restrict their access with a tool like sudo or chroot, but at the […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[79],"tags":[],"class_list":["post-2547","post","type-post","status-publish","format-standard","hentry","category-aws"],"_links":{"self":[{"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/posts\/2547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/comments?post=2547"}],"version-history":[{"count":2,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/posts\/2547\/revisions"}],"predecessor-version":[{"id":2549,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/posts\/2547\/revisions\/2549"}],"wp:attachment":[{"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/media?parent=2547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/categories?post=2547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mooreds.com\/wordpress\/wp-json\/wp\/v2\/tags?post=2547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}