Creating A New AWS EC2 Key For A 3rd Party Developer
An instance launch requires a key pair to be entered. Setting up an SSH connection to the instance requires a key pair to be provided. A new key pair can be generated, or you can use an existing one. Linux instances have an entry in /.ssh/authorized_keys created using the public key you provided at launch. For SSH login to your Linux instance, you must provide the matching private key in addition to the public key.
In addition to setting up key pairs for SSH connections, it is essential to understand the two main types of access available for AWS accounts. Console access and programmatic access are the primary ways through which users can interact with their AWS accounts. Console access enables users to log in through either a root user or an IAM user, providing a user-friendly interface for managing AWS resources.
By comparison, programmatic access involves the creation and utilization of AWS access keys, comprising an access key ID and a secret access key, to facilitate automated interactions with AWS services through programmatic calls or tools like the AWS Command Line Interface. This distinction between console access and programmatic access is crucial for efficiently managing and utilizing AWS services.
The public key on your instance by Amazon EC2, and the private key is stored by you. You must keep your private key safe, as anyone in possession of it can connect to your instances. You’ll need to enter a key pair whenever you start a new instance. A key pair can be generated on Amazon EC2. Amazon EC2 also supports importing public keys generated with a third-party tool. Unfortunately, if you lose your private key and can’t recreate it, there’s nothing Amazon EC2 can do to help you. Even if you’ve misplaced the private key, it’s possible to still establish a connection to instances.
How to create:
Using Amazon Elastic Compute Cloud (EC2) to generate a key pair
- In order to access Amazon EC2, go to https://console.aws.amazon.com/ec2/.
- Key Pairs can be found on the sidebar under Network & Security.
- Pick New key pair to create.
- Select Name and give the key pair a meaningful name. You can give your public key a custom name in Amazon EC2, and it will be linked to that name. There is a limit of 255 valid ASCII characters for a key’s name. Avoid using any spaces before or after the value.
- Select either RSA or ED25519 as the Key pair type.
- Select the private key storage format you prefer. Select pem if you want to save the private key in an OpenSSH-compatible format. Select the ppk format to save the private key in a format compatible with PuTTY.
- Select Add tag, then provide the tag’s key and value to associate it with the public key. Iterate this process for all labels.
- Select the New Key Pair option.
- To access the private key file, your browser will automatically download it. The file’s base name is the name you gave your key pair, and the file’s extension is decided by the file format you used. Make sure to put away the private key file.
- In order to ensure that only you can access your private key file, run the following command from a Mac or Linux computer running an SSH client before attempting to connect to your Linux instance.
chmod 400 key-pair-name.pem
A connection with this key pair to your instance will be denied if the necessary permissions are not specified. Error: Private key file not secured.
Use a third-party tool to generate a key pair, and then transfer the public key to Amazon EC2.
If you don’t want to use the Amazon EC2 interface, you can generate an RSA or ED25519 key pair elsewhere and then import the public key into Amazon EC2.
Key pair requirements
- RSA and ED25519 are the types that work. DSA keys are not supported by Amazon EC2.
- Formats that can be used:
- Standard OpenSSH public key format (as stored in /.ssh/authorized_keys). The EC2 Instance Connect API supports SSH connections in both the traditional format and the newer, more secure SSH2 format.
- PEM or PPK is the only acceptable format for an SSH private key.
- (Only RSA) DER file format, encoded in Base64
- This is for RSA users only: In accordance with RFC 4716, the format for SSH public keys is as follows:
- Three lengths (1024, 2048, and 4096) are supported. The EC2 Instance Connect API supports SSH connections with lengths of 2048 and 4096.
How to create
- Use whatever third-party tool you like to produce a key pair. Such as, you can use ssh-keygen (a tool provided with the standard OpenSSH installation). You can also generate an RSA or ED25519 key pair using the standard libraries provided by many programming languages, including Java, Ruby, Python, and many more. (Private keys need to be in either the PEM or PPK format).
- Make a copy of the public key on your computer. My key pair is stored in /.ssh/my-key-pair.pub. It makes no difference what kind of file extension this has.
- You can either use the.pem or.ppk file extension to save the private key locally. Use my-key-pair.pem or my-key-pair.ppk as an example. (Put away the private key file somewhere secure. When creating an instance, you’ll be asked for your public key’s name, and each time you connect to the instance, you’ll need to enter the private key that goes along with it).
After you have generated your key pair, you can import your public key into Amazon EC2 in one of the following ways.
Inserting the Public Key into Amazon EC2
To access Amazon EC2, go to the console at https://console.aws.amazon.com/ec2/.
Access the Key Pairs menu item on the left-hand panel.
Pick the option to Import key pair.
A public key’s name should be something that accurately describes it, therefore use this field to do so. Any number of valid ASCII characters may be used in the name. No spaces before or after the expression are allowed.
Select your public key from the file system by using the Browse button, or copy and paste its contents into the Public key contents area.
Choose to import the key pair.
Make that the imported public key is present in the key pair list.
Label a Public Key
Public keys can be imported to Amazon EC2 or generated there, and then labeled with metadata to make them easier to organize and manage.
Tags can be viewed, added, and removed using the following ways.
- Navigate to the Amazon EC2 control panel at https://console.aws.amazon.com/ec2/.
- Select Key Pairs from the drop-down menu.
- First, pick a public key to work with, and then go to Actions > Manage tags.
- If the public key has any tags associated with it, you may view them on the Manage tags page.
- Select Add tag, and then provide the key and value for the new tag. For each key, you can assign up to fifty tags. Please refer to the Tag limits page for further details.
- Select the tag you want to remove and click the Remove button.
- Click the Save button.
Best Practices
When managing AWS access keys, there are several best practices to follow that can enhance security and efficiency:
- Avoid generating access keys for the root account: It’s recommended not to create access keys for the AWS account root user unless necessary. Instead, create IAM users with appropriate permissions and use those accounts for daily AWS interactions.
- Utilize temporary security credentials: Long-term access keys should be avoided whenever possible. IAM roles can be set up to generate temporary security credentials that include an access key ID, a secret access key, and a security token with an expiry time.
- Properly manage IAM user access keys: If access keys are necessary for programmatic access to AWS services, create them for IAM users and assign them only the permissions needed for their tasks.
- Avoid hardcoding access keys: Access keys should never be directly embedded into your code. Preferably, store access keys securely in either the AWS Credentials file or in Environment Variables to prevent exposure and enhance security.