EC2 Instance Login - Comparison between the keypair, EC2 Instance Connect, and Session Manager (Systems Manager)

AWS provides three options to log on to your EC2 instances: Traditional SSH Keypair-based login, EC2 Instance Connect, and SSM Session Manager.

Here is a short comparison of these approaches.

This article is from my Security Specialty and SAA Udemy courses.

SSH Keypair

Advantages

• Strong cryptographic security compared to using user IDs and passwords.
• The private key (secret) is securely stored on the client side, while the public key is stored on the server side.
• Two-factor authentication is possible by securing the private key with a passphrase.
• Granular access control as a unique key can be issued to each user for specific server access.
• Widely supported

Disadvantages

• Requires careful key management practices, including protecting private keys.
• Periodic key rotation is necessary.
• Revoking access to the key can be challenging, as you need to touch each server that allows access to the keys.
• Managing keys in large-scale environments or with multiple users can be challenging.

EC2 Instance Connect

Advantages

• Eliminates the need for managing and sharing SSH keys
• Manages instance access using IAM-based security controls
• Authorized users can push temporary or single-use SSH public keys to the server
• Supports traditional tools like SSH, SFTP, and so forth
• Security group and network controls to limit access from specific IP ranges
• AWS EC2 Instance Connect CLI provides a simple and single command to automatically login to EC2
• You can also easily setup a tunnel to use other tools like SFTP or WinSCP
• Supports connecting to both public and private instances (with endpoints), eliminating the need for Bastion Hosts.
• Multiple options to connect: Browser-based console login, and CLI
• Support for Linux and Windows. For Windows, you need to launch an instance with keypair to retrieve the password and then set up the tunnel

Disadvantages

• Requires EC2 Instance Connect agent on the server
• Requires learning additional tools and commands
• A sixty-second timer is set from when the public key is pushed to the server until login. But the session can be for as long as you need once you login.
• Requires configuring security group rules to handle access through EC2 Instance Connect Public Endpoints, Client IP address, Instance Connect Private Endpoint

Session Manager

Advantages

• Eliminates the need for managing and sharing SSH keys
• Manages instance access using IAM-based security controls
• Uses TLS tunnel for logging into the server
• Supports connecting to both public and private instances (with endpoints), eliminating the need for Bastion Hosts.
• Support for Linux and Windows

Disadvantages

• Integration with traditional tools like SSH, SFTP, and WinSCP can be challenging.
• Bypasses Security Group
• Requires the SSM agent to be installed on the server
• More complex setup and usage

Please feel free to share which option you prefer and use!

Best

Chandra Lingam, Compute With Cloud Inc