The “Right” Way to Access Private EC2 Instances

Accessing private EC2 instances from a public jump host presents a potential security issue. Every instance must be accessed using a private access key, but storing this key on the jump host is a bad (actually, very bad) idea. If stolen, this could allow any of your systems configured with the key to be compromised.

Try using ‘ssh-agent’ from your local system to store and use your private keys. This will allow your jump host to forward along or proxy the authentication without having to upload or share the key.

# Step 1 is to actually start 'ssh-agent'
# This outputs the commands to set the necessary environment variables
# and will display the PID of the agent.  
# Example:
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-wlp2yfs0IEW8/agent.16882; export SSH_AUTH_SOCK;
echo Agent pid 16883;

# Step 2 is to store your private key using 'ssh-add'
# ssh-add privateKeyName.pem
# Example:
$ ssh-add kpSuperSecret.pem
Identity added: kpSuperSecret.pem (kpSuperSecret.pem)

Once the access key is stored locally, you can simply connect to your jump host with SSH as normal. From there, accessing the private hosts just requires you to add the “-A” flag:

$ ssh -A

# And then, on into the private instances:
$ ssh ec2-user@ip-someInternalIP.ec2.internal