Explore key concepts of SSH key management and secure access for virtual server instances within virtual private clouds. This quiz covers essential practices, common scenarios, and mistake prevention techniques important for cloud security in DevOps workflows.
Which of the following is the primary purpose of using SSH key pairs when accessing EC2 instances in a virtual private cloud?
Explanation: SSH key pairs are primarily used to securely verify a user's identity when connecting to an instance. Using SSH keys does not affect instance storage, has no impact on network speed, and is unrelated to static IP address assignment. The other options describe functionalities not provided by SSH authentication.
If you generate an SSH key pair for EC2 access, where should you securely store the private key?
Explanation: The private key should be kept only on your authorized local device and never be shared or uploaded elsewhere. Storing it on the EC2 instance or a shared drive compromises security, and putting it in a public repository is highly unsafe. Only local, secure storage ensures the private key remains confidential.
When connecting to a new EC2 instance using SSH, what is commonly the default username for most Linux distributions?
Explanation: For many Linux-based environments, 'ec2-user' is the default username provided for SSH access. 'Admin' and 'ubuntu-user' are not default users, although 'ubuntu' (not 'ubuntu-user') may be used for some images; however, 'root' is usually disabled for direct access due to security reasons.
In typical SSH key authentication for an EC2 instance, where is the public key stored after initial setup?
Explanation: The public key is stored in the 'authorized_keys' file inside the user’s SSH directory on the server. Keeping it in the local desktop folder or VPC settings would not grant access. Leaving it in an unsecured text file poses a security threat and is not a recommended practice.
If you lose the private SSH key for your EC2 instance and have no backup, which is the safest way to regain access?
Explanation: The recommended approach is to create a new key pair and update the server's 'authorized_keys' with the new public key; this restores access securely. Guessing or using the public key is not possible, and simply restarting the instance does not reset SSH credentials.
Which file permission setting should you use for your SSH private key to ensure it is securely protected on a local system?
Explanation: Setting permissions to 'chmod 600' ensures only the owner can read and write the key file, preventing unauthorized access. Allowing read or write access for everyone, or setting it to execute only, compromises the file’s security and confidentiality.
Which method is considered unsafe when sharing SSH key pairs for EC2 access within a team?
Explanation: Transmitting private keys via email exposes them to interception and compromise. Assigning unique key pairs or sharing public keys are secure practices, while secure file exchange tools can help when public keys must be shared. The private key should never be distributed.
Which step should you take to revoke SSH access for a former team member from an EC2 instance?
Explanation: By deleting the user’s public key from 'authorized_keys', you effectively remove their SSH access. Changing the instance hostname, security group, or blocking all traffic is unnecessary or disruptive, affecting other users and services.
To enhance security, what is the recommended practice when configuring network access for SSH on EC2 instances?
Explanation: Limiting SSH (port 22) access to specific IP ranges significantly reduces the attack surface. Opening port 22 to everyone or allowing all inbound traffic exposes the instance to risks, while using default settings without review can be unsafe.
Why is it important to regularly rotate SSH key pairs used for EC2 instance access?
Explanation: Regular rotation of SSH keys ensures that if a key is lost or compromised, unauthorized access is prevented or limited. Key rotation does not influence boot time, network speed, or processing power; these are technical distractors unrelated to secure access.