Access control integration with Amazon EC2
Foxpass offers the ability to grant access to EC2 hosts by properties like VPC id, Subnet id, and Tags.
1. Check pre-requisites
You must have the following:
- Admin permission to IAM so you can create a new IAM Role for Foxpass to use.
- You must not allow password-based authentication to your hosts. SSH-key only. (This is the usual default.)
- Each of your hosts must have a AWS-aware "ssh keys" script. All of our current install scripts are AWS-aware, but previous versions were not. To check yours, look at the file /usr/local/bin/foxpass_ssh_keys.sh. If you see a line that starts with 'aws_instance_id=', then your "ssh keys" script is AWS-aware.
2. Create an IAM Policy in AWS
- Go to Amazon AWS and bring up IAM.
- Create an IAM Policy with the following rules:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
3. Add the connection in Foxpass
- Go to the AWS page in Foxpass
- Click the Add Connection button to begin the setup process
- Enter in your AWS account ID and an appropriate IAM Role name
- Don't click the Test & Add button to authorize the connection until you've finished the steps below.
4. Create an IAM Role in AWS
- Create a new IAM Role in AWS.
- Select Another AWS Account as the Trusted Entity type and enter
843529240033
as the account ID. - Check the Require External ID box and enter in the ID generated for your connection. Do not enable the Require MFA feature
- Attach the Policy from section 2 to the IAM User.
5. Enter access credentials into Foxpass
- Go to back to the AWS page in Foxpass
- Enter in your AWS account ID and the Role name from above
- Click the Test & Add button. If configured correctly, it should immediately add the connection
Note: New connections may take up to 10 minutes to start syncing.
6. Enable hostgroups
- Go to the Hostgroups page.
- Click 'Enable Host Groups'. Read the warning. A rule will be auto-created; this rule allows all users access to all hosts. We recommend leaving this rule in-place until all of your desired rules have been created. At that point, remove this "catch-all" rule.
- Click 'Add Host Group'
- Enter a name, e.g. "QA Servers"
- Define what users (under "User Members") or groups of users (under "Group Members") should have access to these hosts.
- Click "Expand" underneath the new rule
- Click "Add Matching Rule"
- Choose a property. "Hostname" is always available. (Note: "hostname" is the machine's hostname, not the name in the aws console). If the Amazon properties (VPC, subnet, tags) don't appear yet, wait up to 10 minutes for the sync to complete.
- Choose a matching rule. (Exact, prefix, suffix, etc.)
- Enter a value to match against.
Updated about 1 year ago