This time, I was playing around with AWS and created some EC2 instances.
When you are creating and working with your instances, you will need to take care of the authentication – you would usually import or create new key pair and use private key on your machine to connect via SSH to the EC2 instance in AWS. The whole process of creating a key pair and downloading the private key is pretty simple – on the page below, you select name, type and format of your key pair and, when created, private key begins automatic download to your PC:
Now you can create your instance and select the created key pair for authentication:
If you have your private key ready and the instance is up and accessible to you, you can use (for example) SSH to connect to it:
So… we have a challenge! Looks like our private key is not secured enough and others may have access to it!
If we look at the permissions, we can see that all of them are actually inherited… so, we’ll need to remove the inheritance/inherited permissions and give them only to the account that needs it:
And after some “tweaking”:
If we retry the connection, this happens:
Excellent!
And if you’re not a fan of clicking through the permissions dialog, here are scripts that can help you with this – they basically remove the inheritance and add full access permissions to the owner of the file (needs path to your private key file as a parameter!):
- the “PowerShell” flavour:
1 2 3 4 5 6 7 8 9 10 11 |
# script fixes permissions for a private key (PEM) file used to connect to EC2 instance param ( [Parameter(Mandatory)] [String] $file ) $acl = Get-Acl -Path $file $acl.SetAccessRuleProtection($true, $false) # disable inheritance, don't preserve existing rules $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($acl.Owner, "FullControl", "None", "None", "Allow") # allow only Full access for the file owner $acl.SetAccessRule($rule) Set-Acl -Path $file -AclObject $acl |
- the “CMD” flavour:
1 2 3 |
@ECHO OFF REM Script fixes permissions for a private key (PEM) file used to connect to EC2 instance icacls.exe %1 /grant:r *S-1-3-0:(F) /inheritance:r |
Hope it helps!
Cheers!
P.S. Scripts are also available at my GitHub (https://github.com/TomicaKaniski/toms-notes-code/).
P.P.S. There’s also a script that restores inheritance and inherited permissions… in case you… mess something up. 😀