Demystifying AWS/EC2 Access Credentials

As of now, I have begun my pursuit of a career in the cloud technology or to the least be in the right frame of mind to cover database hosted in the cloud. For this purpose, I specifically chose to study AWS and all of its features and no sooner had I begun working my way up to understand the core concepts and get hands-on experience I was awestruck with the dizzying amount of credentials, keys, ids, username, certificates, passwords, and codes which are used to access and control various accounts and service features and functionality. And this led me to think I need a single document that will let me have a clear cut understanding of what all those credentials meant and where does each one suffice to help me access what in the AWS/EC2 infrastructure and/or topology.

  • AWS Email Address and Password is used to login to your AWS account on the AWS website. Through this website, you can access and change information about your account including billing information. You can view the account activity. You can control many of the AWS services through the AWS console. Both of these values may be changed as needed.
  • MFA Authentication Code If you have ordered and activated a multi-factor authentication device, then parts of the AWS site will be protected not only by the email address and password described above but also by an authentication code. This is a 6 digit code displayed on your device which changes every 30 seconds or so. The AWS website will prompt you for this code after you successfully enter your email address and password.
  • AWS Account Number is a 12 digit number separated by dashes in the form 1234-5678-9012. You can find your account number under your name on the top right of most pages on the AWS website (when you are logged in). This number is not secret and may be available to other users in certain circumstances. I don’t know of any situation where you would use the number in this format with dashes, but it is needed to create the next identifier
  • AWS User ID is a 12 digit number with no dashes. In fact, it is simply the previously mentioned AWS Account Number with the dashes removed (e.g., 12345678912). Your User ID is needed by some API and command line tools.
  • AWS Access Key ID and  Secret Access Key are the first of two pairs of credentials which can be used to access and control basic AWS services through the API including EC2, S3, SimpleDB, CloudFront, SQS, EMR, RDS, etc. Some interfaces use this pair, and some use the next pair below. Pay close attention to the names requested. The Access Key ID is 20 alpha-numeric characters like 022QF06E7MXBSH9DHM02 and is not secret; it is available to others in some situations. The Secret Access Key is 40 alpha-numeric-slash-plus characters likekWcrlUX5JEDGM/LtmEENI/aVmYvHNif5zB+d9+ct and must be kept very secret. You can change your Access Key ID and Secret Access Key if necessary. In fact, Amazon recommends regular rotation of these keys by generating a new pair, switching applications to use the new pair, and deactivating the old pair. If you forget either of these, they are both available from AWS.
  • X.509 Certificate and  Private Key are the second pairs of credentials that can be used to access the AWS API. The EC2 command line tools generally need these as might certain 3rd party services. These are also used to perform various tasks for AWS like encrypting and signing new AMIs when you build them. These are the largest credentials, taking the form of short text files with long names like cert-OHA6ZEBHMCGZ66CODVHEKKVOCYWISYCS.pem and pk-OHA6ZEBHMCGZ66CODVHEKKVOCYWISYCS.pem respectively. Amazon keeps a copy of the Certificate so they can confirm your requests, but they do not store your Private Key, so don’t lose it after you generate it. Two of these pairs can be associated with your account at any one time so they can be rotated as often as you rotate the Access Key ID and Secret Access Key.
  • Linux username When you ssh to a new EC2 instance you need to connect as a user that already exists on that system. For almost all public AMIs, this is the root user, but on Ubuntu AMIs published by Canonical, you need to connect using the ubuntu user. Once you gain access to the system, you can create your own users.
  • Public ssh key and Private ssh key are often referred to as a key pair in EC2. The ssh keys are used to make sure that only you can access your EC2 instances. When you run an instance, you specify the name of the key pair and the corresponding public key is provided to that instance. When you ssh to the above username on the instance, you specify the private key so the instance can authenticate you and let you in. You can have multiple ssh key pairs associated with a single AWS account; they are created through the API or with tools like the ec2-add-keypair command. The private key must be protected as anybody with this key can log in to your instances. You generally never see or deal with the public key as EC2 keeps this copy and provides it to the instances. You download the private key and save it when it is generated; Amazon does not keep a record of it.
  • SSH host key is a private file generated by the host on first boot which is used to protect your ssh connection to the instance so it cannot be intercepted and read by other people, and each EC2 instance which you run will have its own ssh host key. In order to make sure that your connection is secure, you need to verify that the SSH host key fingerprint, which is provided to you on your first ssh attempt, matches the fingerprint listed in the console output of the EC2 instance.

With this much information, it can be a daunting task to remember all of this and anyone can be mistaken for the other. As such, it is always advised to make a file or a folder to save all of the above information associated with each AWS account especially for the ones that Amazon does not store for us. And once jotted down best to encrypt that information and secure it with a passphrase.

Let me know if I have missed any of the credentials and how you manage all of the above information.

Advertisements
This entry was posted in AWS, Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s