0

What would be the best practice of securing AWS EC2 instance private keys after employees leave from an organization?

AlwaysALearner
  • 335
  • 8
  • 23
  • Just delete the user from IAM, that should solve the problem, isn't it what you are looking for? – kosa Jul 12 '17 at 21:36
  • @kosa I think they are referring to EC2 Key Pairs. OP see https://stackoverflow.com/q/7881469/775544 – Anthony Neace Jul 12 '17 at 21:48
  • 1
    Generate a new key-pair and de-register the old key-pair. – alvits Jul 12 '17 at 21:49
  • @alvits If I de-register the old key-pair for each instance, will the instance that is associate with the key-pair be accessible? Also, each key pair is created during the creation of the EC2 instance. I am not sure if that will work. – AlwaysALearner Jul 12 '17 at 22:30
  • If the virtual block device is ephemeral, then any changes to it will disappear on reboot, fail-over or migration and the old key will re-appear. If you are running from ephemeral block device, then create a new instance and move over any persistent virtual block device from the old instance to this new instance and delete the old instance. You don't necessarily need to create a new key for every instance. You can also upload your key. – alvits Jul 12 '17 at 22:52

1 Answers1

0

If you have several users that require access to a single instance or expect to revoke access later on, you can add user accounts to your instance.

For more information, see Managing User Accounts on Your Linux Instance. You can create a key pair for each user, and add the public key information from each key pair to the .ssh/authorized_keys file for each user on your instance. You can then distribute the private key files to your users.

That way, you do not have to distribute the same private key file that's used for the root account to multiple users.

Check this aws documentation for more details.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • I think the question should be reworded, if the only person who had the root's public key leaves the company... – alvits Jul 13 '17 at 00:31
  • Generally the original keys can be kept with the IT department. Lets say the authoritive person leaves you can create a new key for root and replace the previous one based on your organization policies. – Ashan Jul 13 '17 at 00:34
  • And that's exactly what I believe why the OP asked the question to begin with. Non privileged users are usually not a concern because it's quite easy to revoke their access. – alvits Jul 13 '17 at 00:35
  • I don't think user management for ec2 is different problem than what was there as best practices for linux even on premise. So its the same established best practices we need to follow for access control used in the past. – Ashan Jul 13 '17 at 00:38
  • It sounds like you are alluding the best practices for safe keeping privileged access. Cloud accounts differ a lot on traditional accounts by virtue of the cloud having copies of the private keys that will re-populate the instances with the corresponding public keys. This does not happen on traditional servers. – alvits Jul 13 '17 at 01:05
  • According to the docs even Amazon do not keep copies of private keys so I don't think the statement 'cloud having copies of private keys that will repopulate the instances' is accurate for aws. Anyway its a topic of its own. However what I meant by previous comment is that we need to follow the access control best practices which we used in on-premise for server user access control even for ec2 instances. – Ashan Jul 13 '17 at 01:19
  • You are absolutely right that it does not keep a copy of the private key. It does keep a copy of the public key which will re-populate an instance even when virtual block device is ephemeral. _Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt your login information, so it's important that you store your private keys in a secure place._ This means traditional methods of safe keeping is insufficient. – alvits Jul 13 '17 at 01:26
  • I was able to create and login into the instance using multiple users after creating different keys for each user using keygen utility in the instance (I was not able to use the key that I created in AWS though), adding public key in .ssh/authorized_keys file and copying generated private key in local computer. Thanks everyone for your inputs. – AlwaysALearner Jul 17 '17 at 21:46