Access control integration with Amazon EC2

Foxpass offers the ability to grant access to EC2 hosts by properties like VPC id, Subnet id, and Tags.

1. Check pre-requisites

You must have the following:

  1. Admin permission to IAM so you can create a new IAM Role for Foxpass to use.
  2. You must not allow password-based authentication to your hosts. SSH-key only. (This is the usual default.)
  3. Each of your hosts must have a AWS-aware "ssh keys" script. All of our current install scripts are AWS-aware, but previous versions were not. To check yours, look at the file /usr/local/bin/foxpass_ssh_keys.sh. If you see a line that starts with 'aws_instance_id=', then your "ssh keys" script is AWS-aware.

2. Create an IAM Policy in AWS

  1. Go to Amazon AWS and bring up IAM.
  2. Create an IAM Policy with the following rules:
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "ec2:Describe*",
    "Resource": "*"
    }
  ]
}

3. Add the connection in Foxpass

  1. Go to the AWS page in Foxpass
  2. Click the Add Connection button to begin the setup process
  3. Enter in your AWS account ID and an appropriate IAM Role name
  4. Don't click the Test & Add button to authorize the connection until you've finished the steps below.

4. Create an IAM Role in AWS

  1. Create a new IAM Role in AWS.
  2. Select Another AWS Account as the Trusted Entity type and enter 843529240033 as the account ID.
  3. Check the Require External ID box and enter in the ID generated for your connection. Do not enable the Require MFA feature
  4. Attach the Policy from section 2 to the IAM User.

5. Enter access credentials into Foxpass

  1. Go to back to the AWS page in Foxpass
  2. Enter in your AWS account ID and the Role name from above
  3. Click the Test & Add button. If configured correctly, it should immediately add the connection

Note: New connections may take up to 10 minutes to start syncing.

6. Enable hostgroups

  1. Go to the Hostgroups page.
  2. Click 'Enable Host Groups'. Read the warning. A rule will be auto-created; this rule allows all users access to all hosts. We recommend leaving this rule in-place until all of your desired rules have been created. At that point, remove this "catch-all" rule.
  3. Click 'Add Host Group'
  4. Enter a name, e.g. "QA Servers"
  5. Define what users (under "User Members") or groups of users (under "Group Members") should have access to these hosts.
  6. Click "Expand" underneath the new rule
  7. Click "Add Matching Rule"
  8. Choose a property. "Hostname" is always available. (Note: "hostname" is the machine's hostname, not the name in the aws console). If the Amazon properties (VPC, subnet, tags) don't appear yet, wait up to 10 minutes for the sync to complete.
  9. Choose a matching rule. (Exact, prefix, suffix, etc.)
  10. Enter a value to match against.