EC2 Instance connect - impersonating users

0

I am looking at ec2 instance connect and it seems it just allows you to impersonate any user that exists on host by default. i am testing it with IAM role that has all privileges

mssh my_user@1.2.3.4--region eu-west-2 --profile myprofile -t $INSTANCE_ID 

logs me on as myself, fine.

mssh some_other_user@1.2.3.4 --region eu-west-2 --profile myprofile -t $INSTANCE_ID 

logs me on as some other user that already exists on this server.

Looks like this behaviour is by design. And anyone with required IAM permissions for ec2-instance-connect can impersonate any user on the host. Document below mentions how you can scope user permission so your IAM policy only allow you to 'push public key' as a specific user by leveraging ‘ec2:osuser’ value, although it is not clear whether it means this is how you stop users impersonating someone else https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html

I only need "Allow: ec2-instance-connect:SendSSHPublicKey" IAM permission to allow AWS pricipal to use ec2-instance-connect.

The restriction for IAM that is mentioned in the document refers to 'The ec2:osuser condition. This specifies the name of the OS user that can push the public key to an instance'.

I.e if I don't set this condition, i can just create any ephemeral public key for any user just by merit of having "Allow: ec2-instance-connect:SendSSHPublicKey" IAM permission in my principals policy

So i can imagine this scenario:

1.IAM for a user has a single entry "Allow: ec2-instance-connect:SendSSHPublicKey" added

  1. User can impersonate anyone on the server

  2. Now, to limit user, you need explicitly to add 'ec2:osuser' condition.

This looks very counterintuitive to me.

1 Answer
0

I think you are right in your analysis, but least privilege is rarely, if ever, forced in any policy. Least privilege in this context most likely means setting the ec2:osuser condition in the IAM policy.

profile pictureAWS
EXPERT
kentrad
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions