'AWS: How to give an IAM user access to an EC2 instance

I would like to give access to an IAM user to an EC2 instance.
In other words, I'd like him to be able to access it using ssh with keys just like I would with the root user:

ssh -i ACCESS_KEYS_DIRECTORY_PATH [email protected]

For this I can follow 2 scenarios:

SCENARIO 1:

  1. Create an EC2 instance using the root user.
  2. Attach a policy to this EC2 instance that allows the IAM user to access it

SCENARIO 2:

  1. Attach a policy to the IAM user that allows him to create an EC2 instance.
  2. Sign-in to the console with the IAM user, and create the EC2 instance.
  3. Generate the ACCESS_KEYS that gives the user access to this instance.

SCENARIO 3:

  1. Create an instance using the root user
  2. Since each instance has its own ACCESS_KEYS, there's no need to do any of what I mentioned above, and I can simply hand the access keys to the IAM user.

So which scenario should I follow and why?



Solution 1:[1]

The traditional EC2 Keypair based SSH access is completely independent from AWS IAM. Your generated private keyfile can be given to anyone and they would have SSH access to the instance (assuming the user can connect to the SSH port and the SSH daemon is running).

If you need to provide SSH access via IAM policies, Enabling and controlling permissions for SSH connections through Session Manager is probably your best option.

Solution 2:[2]

Connect to your Linux instance using EC2 Instance Connect.

Amazon EC2 Instance Connect provides a simple and secure way to connect to your Linux instances using Secure Shell (SSH). With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) policies and principals to control SSH access to your instances, removing the need to share and manage SSH keys. All connection requests using EC2 Instance Connect are logged to AWS CloudTrail so that you can audit connection requests.

You can use EC2 Instance Connect to connect to your instances using the Amazon EC2 console (browser-based client), the Amazon EC2 Instance Connect CLI, or the SSH client of your choice.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Kaustubh Khavnekar
Solution 2 jarmod

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function