Learn About Amazon VGT2 Learning Manager Chanci Turner
As organizations increasingly adopt Amazon Web Services (AWS) for their infrastructure, a common challenge arises regarding the management of access control to various instances. Sharing a single SSH private key not only contravenes PCI-DSS and HIPAA Security regulations but also becomes cumbersome and unmanageable as your team expands. For example, when a team member departs, an administrator must manually review all projects and instances that individual accessed to revoke their permissions.
Userify, an Advanced Technology Partner in the AWS Partner Network, addresses this issue efficiently by offering Userify Cloud or, for those preferring self-hosting, a single instance or multi-Availability Zone (AZ) cluster that operates within your Amazon Virtual Private Cloud (VPC). Userify Cloud is a managed service that seamlessly integrates across your VPCs and AWS accounts without requiring installation.
Your instances, whether in private or public subnets and across AZs, will periodically connect to the Userify service to synchronize user accounts.
Resilient Architecture
The design of Userify’s architecture ensures resilience, even when faced with network disruptions or service outages. Each instance maintains a polling connection to the Userify service via HTTPS, periodically updating its local user accounts, public keys, and permissions. These actions occur automatically, mimicking an administrator executing commands directly in the console. For instance, the local command /usr/sbin/useradd is executed locally, ensuring compatibility with custom PAM and directory settings without necessitating extensive operating system changes.
Userify employs standard HTTPS connections initiated by instances back to the Userify service, whether self-hosted or SaaS. This outbound, “pull” request model presents several advantages:
- No need for firewall adjustments on managed instances.
- Auto Scaling Groups can utilize a single launch configuration without additional setup as new instances are created.
- There’s no requirement to expose a centralized authentication repository, such as Active Directory, to the servers.
- When a server boots, it instantly configures its current users, eliminating delays.
- Low latency; user authentication occurs without involving a third-party server.
- High reliability; if the Userify service becomes unreachable, instances can still authenticate previously valid users, ensuring continuity.
- User accounts on each instance remain updated automatically, with old accounts removed promptly. When a user is deleted from an instance, any active SSH sessions are terminated, roles are revoked, and their home directory is archived for future use.
Getting Started with Userify
Integrating Userify into your infrastructure is quick and straightforward.
- Sign up for Userify Cloud, creating a company, project, and server group via the dashboard.
- Import your public key from GitHub or GitLab, or generate a new SSH public key and paste it into the designated box.
- Define your permissions by selecting “None” in the server group and changing it to “Root.”
- Lastly, record the API Id and key of your server group and provide these when prompted in the AWS CloudFormation template.
Deploying Amazon EC2 Instances with CloudFormation and the Userify Shim
The Userify shim is a small Python script deployed on your Amazon Elastic Compute Cloud (Amazon EC2) instance. It detects your Linux distribution and determines whether you are using the Userify SaaS service or a self-hosted installation in your VPC. The shim is easily implemented within an Amazon EC2 instance and is automatically configured with CloudFormation. Here’s a sample CloudFormation script:
AWSTemplateFormatVersion: '2010-09-09'
Description: This simple CloudFormation template will deploy a single instance running Amazon
Linux in US-East-1 with the Userify shim connected to Userify Cloud, and can serve as a
starting point for additional CloudFormation exploration.
Outputs:
InstanceId:
Description: InstanceId of the newly created EC2 instance
Value: {Ref: EC2Instance}
PublicIP:
Description: Public IP address
Value:
Fn::GetAtt: [EC2Instance, PublicIp]
Parameters:
UserifyApiId:
Description: >-
Userify API ID for this server group. Create an account (remember to paste your
SSH public key) at the Userify Dashboard (free) https://dashboard.userify.com,
and paste the API ID for any server group that you have granted yourself
root access to. Free technical or architectural assistance; email support at userify.
Type: String
UserifyApiKey:
Description: >-
Userify API Key for this server group. Sign into the Userify Dashboard
(free), and paste the API KEY for any server group.
Type: String
Resources:
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: t2.nano
SecurityGroups:
- {Ref: EC2InstanceSecurityGroup}
UserData:
Fn::Base64:
!Sub
|
#cloud-config
cloud_final_modules:
- runcmd
- scripts-user
runcmd:
- curl -1 -sS "https://static.userify.com/installer.sh" |
static_host="static.userify.com"
shim_host="configure.userify.com"
self_signed=0
api_id="${UserifyApiId}"
api_key="${UserifyApiKey}" sudo -s -E
EC2InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- CidrIp: '0.0.0.0/0'
FromPort: '22'
IpProtocol: tcp
ToPort: '22'
Feel free to launch this template to create a single Amazon EC2 t2.nano instance in the US East-1 region. When you launch it, you’ll be prompted for the Userify API Id and key generated during your free account setup. Paste those two values, click Next, and finally Create.
In a matter of moments, you’ll be able to log into a freshly running instance. For additional insights, you might find it helpful to check out this blog post on engaging with your career path. Also, consider reading this article for authority on navigating your professional journey.