问题
I am relatively new to AWS and exploring different options available. While creating an instance if "Proceed without key pair" is selected we cannot connect to the instance.The documentation also has a note saying this option should not be selected.
So what is the main use of this option ?
In which scenarios are we suppose to use it?
回答1:
The option Proceed without key pair is used when:
- When the
sshdin your AMI is configured to use password based authentication and no ssh key is needed to access the machine sshdcan accept some otherusername/keycombination- If an unauthorized user gains access to AWS dashboard or metadata, he/she can get the name of the keypair and if he/she has access to the keypair, can ssh into the instance. With no keypair listed and another known key baked in the AMI, this security concern is addressed
- Windows: Admin password (for which private key is required to decrypt) is not needed because some other user is an admin
- Caution: If you launch an instance with no keypair and don't have any of the above mentined ways to access the instance, you have to relaunch the instance with a keypair.
回答2:
"Proceed without key pair" could, for example, be used for instances created from an AMI where the username and password are already known by the party creating the instance.
Keypairs are commonly used to generate login credentials on AMIs where agents to generate credentials have been installed. These are on most all AMIs that AWS themselves maintain. The default behavior for AWS maintained AMIs is a bit different depending on OS:
- Linux: You supply the private part of the keypair when SSHing into the EC2 instance. The username is different depending on the flavor of linux you're using, see here for more details.
- Windows: the EC2Config agent generates a password for the default "Administrator" windows user during bootup that are available via the AWS Console or CLI if you as the end user can supply the private part of the keypair.
Further Reading:
- AWS Documentation - Keypairs
- AWS Documentation - Accessing Instances
- AWS Documentation - Troubleshooting connecting to instances
回答3:
Not uploading a key for the default user account makes the instance more secure - the private part of the key might be found or used by ex-staff members etc.
As mentioned you can access the server in another way if the AMI you are using has another way set up - for example password etc.
You can also use the user data script to set up users, passwords, keys etc to enable access when the instance is first created.
You could also access the server using the AWS Systems Manager if the instance has had the amazon-ssm-agent installed (and this agent is installed by default in the AWS Amazon Linux AMI's). The AWS Systems Manager enables you to open a terminal session in your browser. Look at:
https://eu-west-1.console.aws.amazon.com/systems-manager
and check out 'Explore Session Manager' under 'Remote connect'.
回答4:
I think this is the simplest way to do that.
- Create a snapshot of you instance's volume
- Create a new instance and assign a key pair
- Stop the new instance
- Follow this tutorial https://community.spiceworks.com/how_to/159573-how-to-restore-your-aws-ec2-instance-from-a-snapshot
- Start the new instance
来源:https://stackoverflow.com/questions/40695719/use-of-proceed-without-key-pair-in-ec2-instance-creation