AWS/EC2

[AWS EIC] EC2 Instance Connect Endpoint를 사용하여 Bastion 없이 폐쇄된 VPC의 EC2에 접근

BigCo 2023. 7. 12. 15:10

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

## 필요하면 IAM정책 추가

저는 풀권한이 있어서 추가 설정은 안했습니다.

 

 

사용자에게 EC2 Instance Connect 엔드포인트를 사용한 인스턴스 연결 허용

더보기 
//해당 json코드에서 빨강색으로 표시된 부분만 수정해주시면 됩니다.

EX)
region : ap-northeast-2     //서울
access-ID : 73532934xxxx
eice-xxxxxxxxxxx : 엔드포인드 ID

// 접속할 포트
ec2-instance-connect:remotePort": "22"

// 접속할 IP -> 저는 VPC 대역을 넣어줌
"ec2-instance-connect:privateIpAddress": "10.10.0.0/27"

// 이 부분은 AWS의 EC2 Instance Connect 서비스에서 SSH 연결이 유지되는 최대 시간을 설정, 저는 60초
"ec2-instance-connect:maxTunnelDuration": "60"

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "EC2InstanceConnect",
            "Action": "ec2-instance-connect:OpenTunnel",
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:region:account-id:instance-connect-endpoint/eice-123456789abcdef",
            "Condition": {
                "NumericEquals": {
                    "ec2-instance-connect:remotePort": "22"
                },
                "IpAddress": {
                    "ec2-instance-connect:privateIpAddress": "10.0.1.0/31"
                },
                "NumericLessThanEquals": {
                    "ec2-instance-connect:maxTunnelDuration": "60"
                }
            }
        },
        {
            "Sid": "Describe",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceConnectEndpoints"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

 

 

 

 

 

사용자의 EC2 Instance Connect 엔드포인트 생성, 설명 및 삭제 허용

더보기

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "GrantAllActionsInAllSubnets",
            "Action": [
                "ec2:CreateInstanceConnectEndpoint",
                "ec2:DeleteInstanceConnectEndpoint",
                "ec2:CreateNetworkInterface",
                "ec2:CreateTags",
                "iam:CreateServiceLinkedRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:region:account-id:subnet/*"
        },
        {
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:::security-group/*"
        },
        {
            "Sid": "DescribeInstanceConnectEndpoints",
            "Action": [
                "ec2:DescribeInstanceConnectEndpoints"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

 

 

사용자가 지정된 소스 IP 주소 범위에서만 연결하도록 허용

더보기

{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceConnectEndpoints"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2-instance-connect:OpenTunnel",
            "Resource": "arn:aws:ec2:region:account-id:instance-connect-endpoint/eice-123456789abcdef",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                },
                "NumericEquals": {
                    "ec2-instance-connect:remotePort": "22"
                }
            }
        }
    ]
}

 

 

 

 

 

 

 

 

 

 

 

참고자료