Severity : High
Description:
...
This controls ensures that EC2 instances use key pair as set of login security credential and does not use username and password. Its recommended to use key pair as user/password method is not secure and can be misused.
Remediation Steps:
Perform following to update Key pair for login to instance:
Create a Key pair
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to EC2 console.
In the Network and security, click Key Pairs.
Choose Create key pair.
Enter a Name for the key.
For Key pair type, choose either RSA.
For Private key file format, choose pem (OpenSSH).
Enter tag information by choosing Add tag,
Choose Create key pair.
Save the private key downloaded by browser. This is last chance to save the private key.
Retrieve the public key from the private key
On a local machine where the private key saved, run the following command
Code Block ssh-keygen -y -f /path_to_key_pair/my-key-pair.pemSave the output to a file to use in instance.
Update Public Key on the EC2 instance ( Linux Instance)
Connect to the instance using current username and password.
In the terminal window, open the .ssh/authorized_keys file using ext editor.
copy the public key generated in above and paste the key in the .ssh/authorized_keys file. Save the file.
Disconnect from your instance, and test shh connection to instance using the new private key file.
Disable password login on the Instance
Edit the sshd_config file in the editor.
Set ChallengeResponseAuthentication, PasswordAuthentication and UsePAM parameters to to No.
Save and close the file. Restart the Instance.
Important:
Ensure that the key pair replacing password is not specified in launch template until the key is successfully tested with existing instances.
Reference: