Design to Securely Access Private Instances in AWS VPC

Deploying workload in AWS Cloud is common now a days. Developers or I should say DevOps Engineers have mastered the art of deployment but at times the struggle is on one point — how to give access to the Dev Teams on the EC2 instances running in the private subnets of the VPC @AWS.

Well, one common thought process is — share the private key used while launching the EC2 instances with the Dev Team. Simple isn’t it !!! But Security goes for a toss.

Another option, is to let each Developer use their private key (generated on their workstation using key-gen utility) to connect to the instances. I know you have a question popping up — How would EC2 instance authenticate using the private key as it does not has the public key of the Developer? Here is the high level solution to the problem.

Let each developer generate public-private key pair on their work-station and have the public key added into the authorized_keys file used for ec2-user (assuming we are using Amazon Linux AMI). How we automate this done end to end is captured below.

Steps

1. Developer generates public-private key pair using key generator utility.

2. Create a file named authorized_keys. This file will eventually contain public keys of each developer.