Can we define a permission policy for an EC2 instance that allows login from an IAM role?

1
votes

We can assign an EC2 instance an IAM role.

  1. Now say we have two ec2 instances A (in public subnet) and B (in private subnet)
  2. Now can we also allow ssh from A to B if A has an IAM role R by defining a permission policy on EC2 instance B to allow access to role R?

Right now I am able to connect from A to B using ssh by uploading the private key to A and then using ssh -i. But can we avoid storing the private key on A? Is there some way? Or is it a must to store the private key?

1
amazon-web-servicesamazon-ec2amazon-iam

1 Answers

2
votes

If you want to restrict users access to your individual EC2 instances by using IAM there are 2 approaches that you can take.

The first approach is to use EC2 Instance Connect. This approach provides a traditional approach to connecting to an instance via a terminal over the SSH protocol, more information on setting it up can be found here.

The second approach you could take is to make use of Session Manager. Session manager is part of the SSM services, it allows you to programmatically connect to your EC2 instance via the either AWS console or the AWS CLI rather than connecting over the SSH protocol.