In Amazon Web Services (AWS), Best Practices, Blog, Cloud Infrastructure, Security, User Management

A few JumpCloud® users have reached out to us to determine how to create SSH access on AWS instances through OpsWorks and IAM. In case others out there are struggling with the same question, we wanted to answer it here on our blog.

EC2-User Account

Most Admins today are combining the two solutions to create a shared account (ec2-user) across their instances, as well as give individuals access to that account. Access is then further refined through the creation of a “stack” or a group of servers. They also assign sudo privileges to the account.

AWS Tip Of The Day

Our tip of the day: DON’T DO IT! While this may look like a tempting approach to solving the problem, it is never, ever a good idea to create a shared root account for your organization. No, not even if there are just a few people at your company and a handful of servers.

Trust us; the downsides to this approach will greatly outweigh the positives of perceived time savings. Here are just a few reasons why:

  1. If you have an admin leave, you need to change the root password everywhere.
  2. If the root password is compromised, your entire infrastructure is at risk.
  3. You have no auditing control and visibility.

Individual Privileged Accounts On AWS

In most cases, JumpCloud’s Identity-as-a-Service platform can create individual privileged accounts on all of your AWS instances faster than the approach outlined above. And you can do it without writing any code. In fact, JumpCloud is a core cloud-based directory service that can control who can access your IT infrastructure, including systems, applications, and networks. JumpCloud’s offering is called Directory-as-a-Service®. It provides centralized user management, hosted LDAP services, True SSO™, WiFi authentication, multi-factor authentication, device management, and a great deal more.

Installing the lightweight JumpCloud agent takes a few minutes and configuring users is about the same. From there on, any servers can be added to groups and you can subsequently give the right people the right access. You can accomplish all of this without a shared account.

DevOps and IT admins are always looking for faster, more efficient ways of doing their job. The seemingly quick shortcut to create a shared account and hand that out sounds great, but the downsides are enormous. Luckily, there is a quicker way to solve this problem while dramatically improving your security. If you have any questions, please drop us a line. We’d be happy to help, or feel free to give our Identity-as-a-Service platform a try for free.

Recent Posts