2

I'm working in a team with 8 people. I need to create an EC2 intance. Just before I create the instance, EC2 lets me create a key-pair and then download it.

The problem is: That way I need to share the same private key for all 8 team members.

Now, what happens if tomorrow one of the teammates leave? I will need to recreate the machine with a new key pair.

How can I manage the keys correctly so every team member will have his/her unique key that is associate with his/her IAM user, so once he/she leaves the company, I will be able to invalidate his/her key?

Alon
  • 10,381
  • 23
  • 88
  • 152

4 Answers4

3

Try to avoid giving the PEMs for the instances to everyone, keep these with the Administrators in a tool such as a password vault.

Remember that to rotate these PEMs you would need to manually replace the authorized_keys on any Linux instance, and for Windows instances where you use this PEM to get the Windows password you would need to replace and launch with the new PEM.

AWS has a couple of solutions that help make secure access to your Linux instances easier:

  • If you do not require to actually SSH to the host, but just need terminal access you can make use of Session Manager. Using this tool you can access a terminal within the AWS console or connect via the CLI. Interactions with the terminal can be scoped to allow only specific commands with functionality for auditing built in.
  • If you would like to connect to a terminal, you can use EC2 instance connect. Using this option you can generate a temporary key and then provide this via the CLI to allow temporary access using this PEM. Once this command is run (and is successful) you will be able to connect to the instance temporarily using the SSH terminal with your temporary PEM.
Chris Williams
  • 32,215
  • 4
  • 30
  • 68
2

I suggest looking into using EC2 Instance Connect which uses temporary SSH keys and allows you to grant access using IAM policies.

Otherwise, I suggest using a tool like Ansible to manage the SSH keys on your fleet of instances so you can easily add or remove keys.

Mark B
  • 183,023
  • 24
  • 297
  • 295
1

Your question is not about Ec2 per se, but about the access control model you want to implement.

If all those 8 people need to have identified and individual access to the instance, the simplest way is to create 8 different users at the instance. Each one with a different ssh-key.

It can be done logging into the instance, using the key created for the ec2-user or ubuntu user, then creating each of the users and distributing.

If all you need is one different key for everyone to login into the same user, just ask people to create ssh-keys and share the public key with you. Then you put all of them into the default user .ssh folder.

When someone goes out, simply delete the ssh-key. You can even keep their user for historical reasons.

If the number of instances go up, you should invest into a centralized login management tool like LDAP

Alexander Jardim
  • 2,406
  • 1
  • 14
  • 22
1

I will recommend looking into AWS ops work, a perfect choice for a remote team, and I did configure that for one my client which has lot remote people and it work like charm because of providing slack integration he is able to add or remove user using slack command.

  • You do not need to share PEM key with any team any member, only the administrator
  • Each team member will provide own public-key to access the instance
  • Manage which instance a team member can access and which level of access
  • Remove team member from ops work will automatically remove from EC2
  • Trace activity which user perform an action when a user get a login to the instance
  • you can also deny access for a particular user

In ops work you can create stack like

  • TeamA, TeamB and Teamc So A user can be a member of one or more stack at a time and TeamA can only access instance added in TeamA, so this also provide logical separation of the instance as per team.

Opswork mainly uses for configuration management but this really helps to manage user access to the instance where top management wants to control user access instead of Ops Team.

  • Create stack
  • Register instance with OpsWork
  • Add user to stack

enter image description here

Adiii
  • 54,482
  • 7
  • 145
  • 148