AWS can deploy one EC2 Key Pair to your EC2 instance. But this approach has several disadvantages:

You can only use one key per EC2 instance. But you shouldn’t share keys between users.

Access to EC2 instances via SSH can not be restricted to specific users.

Therefore many of our AWS consultancy clients ask me:

“How can SSH access be managed without too much overhead?”

If I ask what they mean by managing SSH access the following questions arise:

How can only certain people access certain machines over SSH?

How can I maintain a separate SSH user per employee to trace who did what?

How can SSH access be revoked in case someone leaves the company?

How can SSH public keys be rotated?

Wouldn’t it be nice if you could use IAM for that? Yes, you can!

Solution

My preferred solution for managing public SSH keys is simple:

Using IAM to store and retrieve public SSH keys. You may know about that if you use the CodeCommit service.

Making use of sshd’s AuthorizedKeysCommand to retrieve the public key from IAM.

To see my solution in action run the following showcase. Skip the section if you are only interested in the theory.