Been using UNIX since the late 80s; Linux since the mid-90s; virtualization since the early 2000s and spent the past few years working in the cloud space.
Location
Alexandria, VA, USA
Education
B.S. Psychology from Pennsylvania State University
One of the thing I like about deploying on AWS: Instance Connect. Install the Instance Connect binaries on your EC2 and disable password logins. Need to SSH in? Use the AWS CLI to push a copy of your public key to your EC2's user-account, then do a key-login. Best part? The pushed-key is automatically removed after fifteen minutes. Outside of AWS, you can brew up an ephemeral-key solution with SSHD's AuthorizedKeysCommand.
Also: Duo, Okta and a few other 2FA providers make nice, easy PAM drop-ins as well. Pair the 2FA with ephemeral keys and your exposure becomes limited to flaws in the daemon itself ...which can be heavily mitigated with fail2ban.
One of the thing I like about deploying on AWS: Instance Connect. Install the Instance Connect binaries on your EC2 and disable password logins. Need to SSH in? Use the AWS CLI to push a copy of your public key to your EC2's user-account, then do a key-login. Best part? The pushed-key is automatically removed after fifteen minutes. Outside of AWS, you can brew up an ephemeral-key solution with SSHD's
AuthorizedKeysCommand.Also: Duo, Okta and a few other 2FA providers make nice, easy PAM drop-ins as well. Pair the 2FA with ephemeral keys and your exposure becomes limited to flaws in the daemon itself ...which can be heavily mitigated with
fail2ban.Awesome, yeah the one cloud I've never used is actually AWS.
Luckily this article is any cloud with SSH access :)