I have a bastion host in a public subnet which I am going to use to login to another EC2 instance in a private subnet. I have set it up and everything is working fine (Linux ssh). But I am curious to know if if there is any IAM role will come into play here if I do not specify anything explicitly? Can anyone please let me know.
0
votes
I don't believe user permissions will affect anything in this situation. Maybe I don't understand your question.
– Pheric
Yes maybe. That's what I meant exactly. Then under what circumstances does IAM comes into play? I am trying to understand at a bit more abstract level, I know we need IAM policy to access services like S3 or SNS etc. But then why that doesn't apply here? I can think that I am trying to access a server via SSH service..
– SRaj
Right. As I understand it, you need IAM roles for accessing resources with the console or API. You can have SSH keys automatically imported to your system if you need. But at that point, authentication done in your server itself is no longer the responsibility of IAM. When you directly connect to the server, your routing and firewalls are managed by the console but even then IAM doesn't matter for anyone except the admin.
– Pheric
1 Answers
2
votes
IAM Roles are used to provide credentials for making API call to AWS. For example, they might be calls to launch Amazon EC2 instances or to change network settings.
Based on your description, your bastion server does not need to make any API calls to AWS, so an IAM Role is not required.
Authentication for SSH is performed by the Linux operating system using keypairs. This is 'normal' Linux and does not involve AWS (except that AWS can generate keypairs for you if you do not wish to import your own keypairs).
By the way, instead of using SSH via a Bastion server, you could consider using AWS Systems Manager Session Manager, which can provide SSH-like connectivity including to instances in private subnets.
