EC2 Security

EC2 Security is designed to give authorised users access to their machines, but nobody else. An AMI image can be published; when it is picked up by other users, it gets rebound to the new owners in the process. Even so, you need to be sure that there are no back doors in the VMs. Amazon warn people about naively using third party AMIs. Even with the Amazon issues, there is the risk that they are not so much malicious, just capable of leaving vulnerabilities in the systems. Futhermore, being Linux images, they are implicitly vulnerable if not kept up to date.

The S3 store has a fairly complex security model, as it is possible to make any resources in the asset store public, and it is possible to grant restricted access rights to downstream users. This is used to enable all the 'upload to S3' applications that can be resold to others.

Security Key setup

This turns out to be very tricky. Imagine, security that is hard to set up!

Security concepts

You have an account. This is where bills are sent. It must have a credit card set up. A normal Amazon account can be used for this; if you have more than one credit card you must declared which card to use for billing.

There is an Access Key ID and Secret Access Key. The ID is not secret; it is included in various requests. The Secret Access Key is used to sign messages. Users can create new secret access keys -these are shared secrets between you and Amazon Web Services.

The FireFox EC2 GUI uses the key ID and Secret Access Key to identify you.

There is an X509 certificate and a matching RSA private key for talking to the AWS system. This is generated on the AWS web site and downloaded over HTTPS. Of course, this means that amazon themselves could retain the private key, but it is only to authenticate AWS communications. If you do not trust amazon, you can upload your own certificate. These certificates and keys are bound to the Access Key ID; you can use them in communications with the servers without including the Access Key ID.

The X509 certificate is used for WS-Security operations; the SOAP stack. This includes the Amazon command line tools. It is not apparently used by the AWS query API.

There is only one X509 certificate per account. When a new one is created, the old one is revoked.

An SSH 'keypair' is generated to talk to specific machines. This is done on your local machine; the public key is then uploaded to the AWS infrastructure via a specific operation.

Certificates

Create an X.509 certificate on the amazon web services site, under your account settings. This gives two files to download: a certificate and a private key. Save these to somewhere like ~/.ec2

Set the EC2_PRIVATE_KEY environment variable to the downloaded private key.

Set the EC2_CERT key to the downloaded certificate.

Test the settings with the command ec2-describe-images -o self

Keypairs

Before creating a machine, you need a new keypair

Keypairs can be created from the FireFox GUI, but you get more control from the command line.

> ec2-add-keypair ec2-keypair1
KEYPAIR ec2-keypair1    9e:e4:17:35:74:6d:45:61:be:4c:a4:7c:bb:d2:cc:d3:1f:5b:c8:bc
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAykaexY3dvuJvmOz6nHzWMaqVA9wLsc5cFfo9TF+ozZz3RVbNltFspjqiGtN7
iO2l3bK5ef9bJ+RWiJdvhjSW12P5JpxSEFKCFXCSF6Yw736eIjtXDiHvtmnjgvPRCTStKplEoqk3
cWR2we6o6IAGGmoQ+GixlQDJWsZWVeQZ0aEzOVhpHZFrbOTsV+OHbopz4qWzMgB6yE7OO6LHsXO/
XwimNSNWY5mthezlIHqh3KHJ17clnK44GneERl5inTMl8zniT2mVDDP+lqtyrbigLc7XV/NCm//B
k/Seb7poELWN4W3HAa4Y7CIyUl9tQnpP7TBPGs01iqFUHwiqSSzHAwIDAQABAoIBAEFe6Vj3LD7Q
dzh4/dUtExwiAN6qcq0X//KqWL0h/S/WFqO2FeMz82UVdeYtirMJ+pzXcdHXkOInjT+/kS9SN52M
lazAwFS+FYRQSSaTcyUzSm/Ntai/lvTg68IagefzujMWLXRUM7LVwPuT4cqh9Vb8CFf/ncSF6I0J
pEVF3oI8f3fBzzse481Xk5mcCx1FP4ZMXtNOB1WXBRJGMvSdgWXDapc2/Z9S9Ik+7MkhNfsDn15k
Dv5mXrrUmSU6dUcQlu5AEP5qaMzm/u7Jo66vqhTcvSTodahMR76NWTiDbdevZ1cIFVvlYev0WC/Q
BOovwkDHioLp8tll6S7U3UO7KOECgYEA46A/qXeUrDCK5bE++UwZXV0bqfnonicg6ZFk6yfuxmsC
iD6jKVY6Ppa0Ym5KO3SNBYFG+ptugYz8FeKiGAK6kLEgmVnO5k8ZAXB9CUh5DVz3mSqUSl0dW/Sl
cEqO5pmCwjM/deVHhgIWo2KkIrJm+pC0IDNwxBW6Go0nClu/cR0CgYEA431tLPNqEt/GEj1xZRJW
cFtVRnq0q1HcZUDzGfPtO9OfCTCkw9HyXPJerjVIiUMsL8owYYLaHxDA9IglXlvvZaZiM8DQ47xh
9wkqdzgNI0WQ334wSIqreUP3uO2ovuCtdwr3fG44SIolCSgy8UliInHhn/V5F4nHuC7XRvX6vp8C
gYA624ralRMaWwrvTZ+M8sJ0Q8kNcJNXoaJ/AptnutGg+LaU6C1kWOmCmZFXClGjggWc8Mqbrmkq
knv0ZL+pGbuIAmT9gh1frAA5QQ7zwYubivhy4HGrsNwQlPfaS00cD4GiGYJFR93wpsWXxb/PQPYj
wBrzYJm9+ig/CVSY9xRPeQKBgQCGuRUa9dzv6I5I5xJspPuD9tL9tlWg0A4R+PD/gbIRKDabHq+1
OHSsDu17hhq7D4jvlHIqjW/Xzfg32RkoVJHmRS8LLzmGZV4vCsKXcB53sQ8nDHhTvavnWRUv869n
u29/fIMssamrbASa86+XrbnsZD0Wmi1ofzREI5licPJaSQKBgQCfUuBwiyZXKUukX++YWstynVwe
bZ8m9AbvtNA21Y+EdXPbzpAuNS+F1NSRBB0MEOTMWrOa4SyokmNz1wkyN5GDsEaYOG31iXbqC35z
T6qNvUHxc0/xqzaKSJ9j2m68a3R+Mkt23F0PcoxF0kbdfSliZwuG/ahpeEY73Z98mlCt0Q==
-----END RSA PRIVATE KEY-----

This is an OpenSSH-compatible private key. To use it on Windows, you need Putty installed, and you need to convert it into putty format.

You can list the current keypairs in the GUI, or on the command line

> ec2-describe-keypairs
KEYPAIR keypair1        ea:cf:74:4d:45:d2:0f:17:a3:31:91:14:1d:ad:3f:a6:72:c1:f8:f4
KEYPAIR ec2-keypair1    9e:e4:17:35:74:6d:45:61:be:4c:a4:7c:bb:d2:cc:d3:1f:5b:c8:bc

After putting the private key up on a web site, you also need to unregister the key

> ec2-delete-keypair ec2-keypair1
KEYPAIR ec2-keypair1

To use these keys, you need to save them somewhere for .ssh to get at. Generate a key and save the output to a file, a file that is then made accessible only to the owner:

> ec2-add-keypair ec2-keypair1 > ~/.ssh/ec2.keypair.ssh
chmod 0700 ~/.ssh/ec2.keypair.ssh

Windows users have to look at the documentation to see how to import it in to putty. Note that the generated private key is not password protected. If you want that, use ssh-keygen -p -f ~/.ssh/ec2.keypair.ssh to set a passphrase on the new file. Running this program is a good check that the permissions are good. Here is what you don't want to see

ssh-keygen -p -f ~/.ssh/ec2.keypair.ssh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/slo/.ssh/ec2.keypair.ssh' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/slo/.ssh/ec2.keypair.ssh
Enter old passphrase:

And here is the passphrase being set

ssh-keygen -p -f ~/.ssh/ec2.keypair.ssh
Key has comment '/home/slo/.ssh/ec2.keypair.ssh'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

What's happened, then, is that you have created an SSH keypair and uploaded the public key to Amazon. You don't get to keep a copy of the public key, you don't get to upload an existing key (not through their tools, anyway). You could probably get the public key back once you ssh in to the root of the new machine.

]# cat ~/.ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCFtrgaMv8fI0BXMqRYWb3ZrcpIvn7oCzeHXXDszp6m7WIc0w5eDDypeiLKPLRIkDb+DoLb0npGmUuE6yX3U+alYzpJ6O1WFq8AaPIoAet5SLDixA8QrNUG25Qy4fPO8d6u8HVlRBvra4KIlixDIDrD3XzikkNrjYkWb8Hyb/KJUHbxuqJL1xEVjVs6OptRNKlzwLlwMtQMO1ZD24gxvPMs8Z2ERzdgGEj6ELf+jaJWL31P3D6wzqlQl6tw/5vvTzJ7UOvDz8P1Uzr2iI2D6xluT1NXHf7DZd4eOUGA9gs/ZbwF3nkbtMreVPZTvw5emiEM2nVmxM26OimIA/NM0Ntt ec2-keypair1

or you can copy things over

scp -i ~/.ssh/ec2.keypair.ssh root@ec2-67-202-21-138.compute-1.amazonaws.com:.ssh/authorized_keys .