用于 SSH 的 Amazon EC2 Instance Connect - 安全组？

Question

我正在使用新的（2019 年 6 月）EC2 浏览器 SSH 连接功能将 shell连接到 EC2。这非常方便，因为我在 Windows 上使用 AWS auth 配置 PuTTy 很烦人，而传统浏览器 SSH 产品从来不适合我。

我可以通过 AWS 控制台连接到 EC2 实例，如下所示

如果为任何 IP 地址启用了 SSH，它就可以完美运行。但是，当我将 SSH 安全组设置为我的 IP 地址时，SSH shell 只是挂起。

我已经确认这是我正确的公共 IP 地址，并且我也尝试过使用我的私有 IPV4 地址 - 不走运。但是，将 CIDR 块设置为任何位置时，连接工作正常。

我想也许这个新功能在某处使用了代理外壳，所以我必须允许访问这个中介的地址。

是在我的家庭办公室桌面上执行此操作，而不是从企业或复杂环境中执行此操作，并使用我的根 AWS 凭证（是的，我知道这是最糟糕的做法）。

Answer 1

Ah! The wonderful new AWS EC2 Instance Connect service. Good to see you're using it!

EC2 Instance Connect works by establishing an HTTPS connection between your web browser (running on your computer) and the backend EC2 Instance Connect service. Then, EC2 Instance Connect establishes a "mostly normal" SSH connection to the target instance. (The slight difference is the way a temporary key is pushed to the instance.)

As a result, the connection appears to be coming from the EC2 Instance Connect service rather than your own computer!

Therefore, instead of accepting a connection from "My IP", the security group on the EC2 instance should allow inbound connections from the EC2 Instance Connect service.

You can obtain the relevant IP address range from AWS IP Address Ranges. This is a JSON file that provides IP ranges for each AWS service.

For example, here is the range for the Sydney region:

{
"ip_prefix": "13.239.158.0/29",
"region": "ap-southeast-2",
"service": "EC2_INSTANCE_CONNECT"
},

Thus, you could put this CIDR in the security group and it would enable EC2 Instance Connect within the Sydney region. (Consult the https://ip-ranges.amazonaws.com/ip-ranges.json file for the relevant range in your region.)