Offboarding someone with EB ssh access

Question

Recently someone left our organization who had an SSH key for our production Amazon ElasticBeanstalk environment. How is this scenario typically handled? Is a new key-pair created and then distributed among the other people who have access? Is there a best practice for managing EB ssh keys?

EDIT:

The trick we eventually went with was to store an authorized_keys file in a secure S3 bucket and to merge the contents with /home/ec2-user/.ssh/authorized_keys along the lines of the answers provided in this SO question. An important detail for people just coming up to speed on ElasticBeanstalk is that it's really just an abstraction over other AWS services, and it's got some gaps that you have to fill in yourself.

Jakuje · Accepted Answer · 2017-07-10T08:09:03.417

4

Best practice is not to share private keys (you don't share underwear either, don't you?). Everyone should have its public key copied to the machines where he has access and once he leaves, his public keys are removed. Simple as that. This should be handled centrally using SSO or at least some automation such as Ansible.

If you share the key that somebody out of company has, you should really change it by creating a new one(s).

edited Jul 10 '17 at 08:09

answered Jun 19 '17 at 20:19

Jakuje

9,715
2
42
45

"Everyone should have its private key copied...". I assume you mean public? – Halfgaar Jul 10 '17 at 08:08

Offboarding someone with EB ssh access

1 Answers1