Amazon linux ami ec2

Configure the Amazon Linux 2 MATE desktop connection

The MATE desktop environment is pre-installed and pre-configured in AMIs with the following description:

» .NET Core x.x , Mono x.xx , PowerShell x.x , and MATE DE pre-installed to run your .NET applications on Amazon Linux 2 with Long Term Support (LTS). «

The environment provides an intuitive graphical user interface for administering Amazon Linux 2 instances with minimal use of the command line. The interface uses graphical representations, such as icons, windows, toolbars, folders, wallpapers, and desktop widgets. Built-in, GUI-based tools are available to perform common tasks. For example, there are tools for adding and removing software, applying updates, organizing files, launching programs, and monitoring system health.

Important

xrdp is the remote desktop software bundled in the AMI. By default, xrdp uses a self-signed TLS certificate to encrypt remote desktop sessions. Neither AWS nor the xrdp maintainers recommend using self-signed certificates in production. Instead, obtain a certificate from an appropriate certificate authority (CA) and install it on your instances. For more information about TLS configuration, see TLS security layer on the xrdp wiki.

Prerequisite

To run the commands shown in this topic, you must install the AWS Command Line Interface (AWS CLI) or AWS Tools for Windows PowerShell, and configure your AWS profile.

Options

1. Install the AWS CLI – For more information, see Installing the AWS CLI and Configuration basics in the AWS Command Line Interface User Guide.
2. Install the Tools for Windows PowerShell – For more information, see Installing the AWS Tools for Windows PowerShell and Shared credentials in the AWS Tools for Windows PowerShell User Guide.

Configure the RDP connection

Follow these steps to set up a Remote Desktop Protocol (RDP) connection from your local machine to an Amazon Linux 2 instance running the MATE desktop environment.

1. To get the ID of the AMI for Amazon Linux 2 that includes MATE in the AMI name, you can use the describe-images command from your local command line tool. If you have not installed the command line tools, you can perform the following query directly from an AWS CloudShell session. For information about how to launch a shell session from CloudShell, see Getting started with AWS CloudShell. From the Amazon EC2 console, you can find the MATE-included AMI by launching an instance, and then entering MATE in the AMI search bar. The Amazon Linux 2 Quick Start with MATE pre-installed will appear in the search results.

aws ec2 describe-images --filters "Name=name,Values=amzn2*MATE*" --query "Images[*].[ImageId,Name,Description]" [ [ "ami-0123example0abc12", "amzn2-x86_64-MATEDE_DOTNET-2020.12.04", ".NET Core 5.0, Mono 6.12, PowerShell 7.1, and MATE DE pre-installed to run your .NET applications on Amazon Linux 2 with Long Term Support (LTS)." ], [ "ami-0456example0def34", "amzn2-x86_64-MATEDE_DOTNET-2020.04.14", "Amazon Linux 2 with .Net Core, PowerShell, Mono, and MATE Desktop Environment" ] ]

After the update completes, reboot the instance to ensure that it is using the latest packages and libraries from the update; kernel updates are not loaded until a reboot occurs.

[ec2-user ~]$ sudo passwd ec2-user

If you do not have a certificate and key, use the following command to generate them in the /etc/xrdp directory.

$ sudo openssl req -x509 -sha384 -newkey rsa:3072 -nodes -keyout /etc/xrdp/key.pem -out /etc/xrdp/cert.pem -days 365

Note

This command generates a certificate that is valid for 365 days.

To disable xrdp on your Amazon EC2 instance

You can disable xrdp at any time by running one of the following commands on your Linux instance. The following commands do not impact your ability to use MATE using an X11 server.

[ec2-user ~]$ sudo systemctl disable xrdp

[ec2-user ~]$ sudo systemctl stop xrdp

To enable xrdp on your Amazon EC2 instance

To re-enable xrdp so that you can connect to your Amazon Linux 2 instance running the MATE desktop environment, run one of the following commands on your Linux instance.

[ec2-user ~]$ sudo systemctl enable xrdp

[ec2-user ~]$ sudo systemctl start xrdp

Источник

Guidelines for shared Linux AMIs

Use the following guidelines to reduce the attack surface and improve the reliability of the AMIs you create.

Important

No list of security guidelines can be exhaustive. Build your shared AMIs carefully and take time to consider where you might expose sensitive data.

Contents

If you are building AMIs for AWS Marketplace, see Best practices for building AMIs in the AWS Marketplace Seller Guide for guidelines, policies, and best practices.

For additional information about sharing AMIs safely, see the following articles:

Update the AMI tools before using them

For AMIs backed by instance store, we recommend that your AMIs download and upgrade the Amazon EC2 AMI creation tools before you use them. This ensures that new AMIs based on your shared AMIs have the latest AMI tools.

For Amazon Linux 2 , install the aws-amitools-ec2 package and add the AMI tools to your PATH with the following command. For the Amazon Linux AMI , aws-amitools-ec2 package is already installed by default.

[ec2-user ~]$ sudo yum install -y aws-amitools-ec2 && export PATH=$PATH:/opt/aws/bin > /etc/profile.d/aws-amitools-ec2.sh && . /etc/profile.d/aws-amitools-ec2.sh

Upgrade the AMI tools with the following command:

[ec2-user ~]$ sudo yum upgrade -y aws-amitools-ec2

For other distributions, make sure you have the latest AMI tools.

Disable password-based remote logins for the root user

Using a fixed root password for a public AMI is a security risk that can quickly become known. Even relying on users to change the password after the first login opens a small window of opportunity for potential abuse.

To solve this problem, disable password-based remote logins for the root user.

To disable password-based remote logins for the root user

PermitRootLogin without-password

Disable local root access

When you work with shared AMIs, a best practice is to disable direct root logins. To do this, log into your running instance and issue the following command:

[ec2-user ~]$ sudo passwd -l root

Note

This command does not impact the use of sudo .

Remove SSH host key pairs

If you plan to share an AMI derived from a public AMI, remove the existing SSH host key pairs located in /etc/ssh . This forces SSH to generate new unique SSH key pairs when someone launches an instance using your AMI, improving security and reducing the likelihood of «man-in-the-middle» attacks.

Remove all of the following key files that are present on your system.

• ssh_host_dsa_key
• ssh_host_dsa_key.pub
• ssh_host_key
• ssh_host_key.pub
• ssh_host_rsa_key
• ssh_host_rsa_key.pub
• ssh_host_ecdsa_key
• ssh_host_ecdsa_key.pub
• ssh_host_ed25519_key
• ssh_host_ed25519_key.pub

You can securely remove all of these files with the following command.

[ec2-user ~]$ sudo shred -u /etc/ssh/*_key /etc/ssh/*_key.pub

Warning

Secure deletion utilities such as shred may not remove all copies of a file from your storage media. Hidden copies of files may be created by journalling file systems (including Amazon Linux default ext4), snapshots, backups, RAID, and temporary caching. For more information see the shred documentation .

Important

If you forget to remove the existing SSH host key pairs from your public AMI, our routine auditing process notifies you and all customers running instances of your AMI of the potential security risk. After a short grace period, we mark the AMI private.

Install public key credentials

After configuring the AMI to prevent logging in using a password, you must make sure users can log in using another mechanism.

Amazon EC2 allows users to specify a public-private key pair name when launching an instance. When a valid key pair name is provided to the RunInstances API call (or through the command line API tools), the public key (the portion of the key pair that Amazon EC2 retains on the server after a call to CreateKeyPair or ImportKeyPair ) is made available to the instance through an HTTP query against the instance metadata.

To log in through SSH, your AMI must retrieve the key value at boot and append it to /root/.ssh/authorized_keys (or the equivalent for any other user account on the AMI). Users can launch instances of your AMI with a key pair and log in without requiring a root password.

Many distributions, including Amazon Linux and Ubuntu, use the cloud-init package to inject public key credentials for a configured user. If your distribution does not support cloud-init , you can add the following code to a system start-up script (such as /etc/rc.local ) to pull in the public key you specified at launch for the root user.

Note

In the following example, the IP address http://169.254.169.254/ is a link-local address and is valid only from the instance.

if [ ! -d /root/.ssh ] ; then mkdir -p /root/.ssh chmod 700 /root/.ssh fi # Fetch public key using HTTP TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > /tmp/my-key if [ $? -eq 0 ] ; then cat /tmp/my-key >> /root/.ssh/authorized_keys chmod 700 /root/.ssh/authorized_keys rm /tmp/my-key fi

if [ ! -d /root/.ssh ] ; then mkdir -p /root/.ssh chmod 700 /root/.ssh fi # Fetch public key using HTTP curl http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > /tmp/my-key if [ $? -eq 0 ] ; then cat /tmp/my-key >> /root/.ssh/authorized_keys chmod 700 /root/.ssh/authorized_keys rm /tmp/my-key fi

This can be applied to any user; you do not need to restrict it to the root user.

Note

Rebundling an instance based on this AMI includes the key with which it was launched. To prevent the key’s inclusion, you must clear out (or delete) the authorized_keys file or exclude this file from rebundling.

Disabling sshd DNS checks (optional)

Disabling sshd DNS checks slightly weakens your sshd security. However, if DNS resolution fails, SSH logins still work. If you do not disable sshd checks, DNS resolution failures prevent all logins.

To disable sshd DNS checks

Note

The location of this configuration file can differ for your distribution or if you are not running OpenSSH. If this is the case, consult the relevant documentation.

Protect yourself

We recommend against storing sensitive data or software on any AMI that you share. Users who launch a shared AMI might be able to rebundle it and register it as their own. Follow these guidelines to help you to avoid some easily overlooked security risks:

• We recommend using the —exclude directory option on ec2-bundle-vol to skip any directories and subdirectories that contain secret information that you would not like to include in your bundle. In particular, exclude all user-owned SSH public/private key pairs and SSH authorized_keys files when bundling the image. The Amazon public AMIs store these in /root/.ssh for the root user, and /home/ user_name /.ssh/ for regular users. For more information, see ec2-bundle-vol.
• Always delete the shell history before bundling. If you attempt more than one bundle upload in the same AMI, the shell history contains your access key. The following example should be the last command you run before bundling from within the instance.

Warning

The limitations of shred described in the warning above apply here as well. Be aware that bash writes the history of the current session to the disk on exit. If you log out of your instance after deleting ~/.bash_history , and then log back in, you will find that ~/.bash_history has been re-created and contains all of the commands you ran during your previous session. Other programs besides bash also write histories to disk, Use caution and remove or exclude unnecessary dot-files and dot-directories.

Источник