How to Centralize SSH Key Management with Userify and AWS CloudFormation
By Jamieson Becker, Solution Architect at Userify
As teams begin to build their architecture on Amazon Web Services (AWS), the question often arises about how to manage access control to all of their instances.
Clearly, sharing access to a single SSH private key not only violates PCI-DSS and the HIPAA Security Rule, but ultimately becomes unwieldy and unscalable as your team grows. What happens when someone leaves the team, for example? A policy must be put in place for an administrator to manually revisit all the projects and instances that employee may have had access to and remove each account.
Userify, an AWS Partner Network (APN) Advanced Technology Partner, solves this problem quickly and easily by providing Userify Cloud or, for self-hosting, a single instance or multi-Availability Zone (AZ) cluster that runs in your Amazon Virtual Private Cloud (VPC). Userify Cloud is a fully managed service that can be used across your VPCs and AWS accounts with no installation needed.
All of your instances, in both private and public subnets and across AZs, periodically connect to this Userify service and synchronize user accounts.
The Userify architecture is designed to be resilient, even in the face of network interruptions or the outage of your Userify service.
Each instance maintains a polling connection to the Userify service via HTTPS, and periodically updates its own local user accounts, public keys, and local permissions and sudo roles.
Each action is taken automatically, as if an administrator is typing the commands into the console. For example, the local /usr/sbin/useradd is locally executed so it will work even with custom PAM and directory configurations and without deep operating system modifications.
Figure 1 – Userify key flow architecture.
Userify utilizes standard HTTPS connections that are initiated by the instances back to the Userify service, whether self-hosted or software-as-a-service (SaaS). Outbound, “pull” types of requests have a number of advantages, such as:
- No firewall holes needed into each managed instance.
- Auto Scaling Groups can use a single launch configuration with no additional configuration needed as each instance is created and comes online.
- Because it’s pure HTTPS, there’s no need to expose a centralized authentication repository (such as Active Directory) to the servers.
- Servers automatically get their current users configured and available for use instantly (within milliseconds) when the server is first booted, rather than waiting for the service to connect to the instance.
- Low latency; when a user authenticates with the instance, a third-party server is not involved, so no additional request is needed.
- Highly reliable; even if the Userify service is unreachable for an extended period of time, the instance continues to authenticate previously valid users just as if Userify was never deployed in the first place, since the accounts are created locally. The only thing that will stop until Userify is restored to service are the updates, and then the instances will automatically re-sync.
- Credentials are authenticated with public-key cryptography. Breaking into one server, for example, doesn’t give an attacker any password or private key credentials that can help them break into other servers.
- User accounts on each instance are kept up to date automatically, and old user accounts are removed. When a user is removed from an instance, any running SSH sessions are killed, roles are revoked, and their home directory is archived for later use (or restoration).
Getting Started with Userify
It only takes a few moments to test Userify integration into your architecture using the Userify Cloud edition:
- Sign up with Userify Cloud and create a company, project, and server group by clicking the green “+” buttons in the dashboard.
- Import your public key from Github or Gitlab, or generate an SSH public key (instructions on your profile page) and paste it into the public key text box.
- Set your permissions by selecting “None” in the server group and changing to “Root.”
- Lastly, note that server group’s API Id and key (click the server group header to see the menu), and provide these when prompted in the AWS CloudFormation template.
Deploying Amazon EC2 Instances with CloudFormation and the Userify Shim
The Userify shim is the small Python script that gets deployed onto your Amazon Elastic Compute Cloud (Amazon EC2) instance. It automatically detects your Linux distribution, detects whether you are using the Userify SaaS service (Userify Cloud) or a self-hosted installation in your VPC, such as Userify Enterprise or Userify Express, and maintains the connections to that service.
The shim is easily implemented within an Amazon EC2 instance and automatically configured with CloudFormation. Here’s an example CloudFormation script:
Click here to launch this template—a single Amazon EC2 t2.nano instance in the US East-1 region—in your AWS account. Upon launching, you will be prompted for the Userify API Id and key that you generated above when you created your free account. Paste those two strings, and click Next, and Next again, and finally Create.
Figure 2 – Launching the pre-built CloudFormation stack.
Within moments, you’ll be able to log into a fresh Amazon Linux instance using your own username. When you’re finished testing, don’t forget to delete the CloudFormation stack, which will also terminate the Amazon EC2 instance that it created.
Getting started with Userify and CloudFormation is simple. To move further, download and customize the CloudFormation template using the CloudFormation documentation. You can add every feature of your current AWS infrastructure into CloudFormation, from security group rules to big data infrastructures, and use those
same CloudFormation templates to build new clones.
You can also review a more complex CloudFormation template that builds an entire Userify Enterprise cluster in your VPC with optional Active Directory integration. Many organizations will use the same CloudFormation templates to launch identical environments for development, staging, testing, and production.
Userify is available both as a SaaS and self-hosted, so you can launch your own Userify server within a VPC and control your keys within your organization, which aids in compliance with PCIDSS and the HIPAA security rule.
The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.
Userify – APN Partner Spotlight
Userify is an APN Advanced Technology Partner. They offer a user, SSH key, and sudo provisioning system for cloud servers. More than 2,000 companies on six continents trust Userify for cloud user management and SSH key management.
*Already worked with Userify? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.