← Back to team overview

cloud-init-dev team mailing list archive

Re: [Bug 1835114] Re: [MIR] ec2-instance-connect

 

On Tue, Feb 25, 2020 at 04:21:05PM -0000, Balint Reczey wrote:
> This is a temporary key and it is indeed available to everyone being
> able to run curl on the system:
> https://www.reddit.com/r/aws/comments/85vkq6/question_about_accesskeyid_secretaccesskey_in/
> 
> The package does not change the availability of the key, so I believe
> this is not a concern regarding the package, but a general concern
> regarding EC2 instances.

Excellent, this is exactly the confirmation that this is expected.

> Can I take this as an OK for the MIR, from the Security Team?

Yes, security team ACK for promoting ec2-instance-connect to main, with
the understanding that it shouldn't be seeded in generic media.

Thanks

-- 
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114

Title:
  [MIR] ec2-instance-connect

Status in ec2-instance-connect package in Ubuntu:
  Incomplete

Bug description:
  [Availability]
  ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances.

  [Rationale]
  This package is useful on Amazon EC2 instances to make use of a new feature:
  Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system.

  Installing the package enables the use of Instance Connect on an
  instance.

  [Security]
  This is a new package, and as such has no security history to speak of.

  [Quality Assurance]
  The package consists in a few shell scripts that are difficult to test by
  themselves due to the high reliance on Amazon's Instance Connect service;
  which is online and limited to use on Amazon instances.

  Given that it's a new package, there are no long-term outstanding bugs in
  Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.

  This package deals with special "hardware"; it is only useful on Amazon
  instances, and its support is required as a default deployment on such
  instances when deployed with Ubuntu.

  [UI Standards]
  Not applicable. This service is command-line only and has no configuration options.

  [Dependencies]
  There are no special dependencies to speak of.

  [Standards Compliance]
  This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known.

  [Maintenance]
  This package is to be owned by the Ubuntu Foundations team.

  [Background Information]
  This is Amazon-specific, as previously mentioned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions


References