1

If someone with a .pem keypair for a number of EC2 instances leaves the company, what is best practice for removing access for that key? Presumably simply deleting the key from the AWS console does not then deny them access to all instances so is there a smart way to audit and remove their access? If I don't have a copy of the keyfile, how can one be sure they didn't add the public key to other instances?

Assume Ubuntu 12.04 EC2 instances

codecowboy
  • 1,307
  • 7
  • 18
  • 31

2 Answers2

2

After installation, Amazon doesn't do anything to your instances anymore so I don't think they have functionality to provide for this scenario. You could hack up a script to loop over all instances and check if his key is there (it's not pretty, but it'll work :) ):

for INSTANCE in $(ec2-describe-instances | grep INSTANC | grep running | awk '{print $4;}')
do
  ssh -lec2-user -oStrictHostKeyChecking=no $INSTANCE 'cat ~/.ssh/authorized_keys | grep mtak'
  if [ $? -eq 0 ];
    then
    echo $INSTANCE
  fi
done

You could also add a sed on-liner to remove the key from the authorized_keys file.

mtak
  • 581
  • 4
  • 11
  • thanks. By installation do you mean after starting an EC2 instance for the first time? I'm also interested in exactly what happens with the keypair at that point. I believe Amazon 'injects' the private key into the instance at that point. – codecowboy Apr 09 '14 at 13:42
  • 1
    Indeed, after first boot they don't touch your instance anymore. As you said, they put the keypair in the ~ec2-user/.ssh/authorized_keys file, it's as simple as that. – mtak Apr 09 '14 at 13:43
  • I guess I can't assume the first line in that file is the one added by Amazon? – codecowboy Apr 09 '14 at 13:49
  • When the instance initially boots, it is the first line. However depending on how you and your co-workers modify the authorized_keys file, I wouldn't count on it (at the risk of locking yourself out :) ) – mtak Apr 09 '14 at 13:51
1

As a security measure, you could also limit the access to your servers for your network range of IP addresses using the Security group settings. In this way, you could prevent people from accessing you number of EC2 instances though they have the .pem keypair

Big Data
  • 114
  • 2
  • 11