Secure SSH Access to EC2 Instances for Model Deployment

Question

Pulumi · Accepted Answer

To establish secure SSH access to EC2 instances for model deployment, we'll set up an AWS EC2 instance with a security group allowing SSH access. The EC2 instance will serve as the server where your model will be deployed. We will use an SSH key pair for authentication, which is more secure than using a password.

Here's a step-by-step guide followed by a Pulumi Python program:

1. Create a new key pair for SSH access if you don't already have one. This step is done outside of Pulumi and the public key will be used when creating the EC2 instance to allow for secure SSH connections.

2. Define a security group with rules to only allow SSH access (typically on port 22) from a specific IP address or range to avoid exposing to the entire internet.

3. Create an EC2 instance in your VPC and specify the key pair and security group created earlier.

Now let's write the Pulumi program that sets up the above infrastructure.

```python
import pulumi
import pulumi_aws as aws

# Create a new key pair for SSH access
# NOTE: You should generate your own SSH key pair and provide the public key here.
# The following is a placeholder for the public key.
ssh_pub_key = """
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtNuv9KEa6NcRjCTJsiS2pqY+5
RVP5UT5TkjI1LGR3R6b+NeQ6eEeHzNx+JhC2phd1dU4E1c36YN9LqcLdmKoEeIT
"""

# A security group that permits SSH ingress and denies all egress traffic
sec_group = aws.ec2.SecurityGroup('secgroup',
    description='Enable SSH access via port 22',
    ingress=[{
        'protocol': 'tcp',
        'from_port': 22,
        'to_port': 22,
        'cidr_blocks': ['0.0.0.0/0'],  # Be sure to narrow down this range to your IP address for security
    }],
    egress=[{
        'protocol': '-1',  # Represents all protocols
        'from_port': 0,
        'to_port': 0,
        'cidr_blocks': ['0.0.0.0/0'],
    }]
)

# Find the latest Ubuntu AMI in the AWS Marketplace
latest_ubuntu_ami = aws.ec2.get_ami(
    most_recent=True,
    owners=["099720109477"],  # Ubuntu
    filters=[{
        'name': 'name',
        'values': ['ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*'],
    }]
)

# Create an EC2 instance with the security group and key pair
instance = aws.ec2.Instance('web-server-www',
    instance_type='t2.micro',  # Adjust as necessary
    vpc_security_group_ids=[sec_group.id],
    ami=latest_ubuntu_ami.id,
    key_name=ssh_pub_key,  # Here we'd use the name of the key, if existing on AWS.
    # Additional parameters like subnet, etc, can be specified here.
)

# Export the DNS name and public IP of the instance
pulumi.export('public_dns', instance.public_dns)
pulumi.export('public_ip', instance.public_ip)
```

This program starts by setting up a key pair and security group. The security group only opens TCP port 22 (used by SSH) to the outside world, which is where you can specify your own IP address for controlled access.

It then locates the latest Ubuntu AMI image to create an EC2 instance that uses this AMI, with the security group and an SSH key to secure access.

After running this Pulumi program with `pulumi up`, you can SSH into your server using the associated private key that corresponds to the public key provided. Model deployment procedures can then follow through SSH access to this server.

Remember, for production scenarios, it is recommended to narrow down the ingress cidr_blocks from your IP range instead of allowing `0.0.0.0/0` and to manage your secrets (including SSH keys) securely, such as using a secrets manager.