On EC2, is there a way I can centrally manage SSH keys?
If you manage to setup your base image to utilize itself as a Puppet client, you can make use of the ssh_authorized_key directive, or even manage a template file directly using the file type and pushing it to the .ssh/authorized_keys
file.
Puppet also includes utilities to manage provisioning through EC2, so you can really make it all a one-stop shop.
One option is to have a tiny instance set up, you provide all your developers access to this machine. They SSH into it, and the machine has an authorized ssh key that allows them access to all the other machines. You can then use firewalls on the machines to prevent SSH logins from other IP addresses.
Another option would be to setup something like Puppet, which would be able to manage the authorized_keys file for you.
Yet another option is to setup a script to rsync the authorized_key file over to all the hosts when it's changed on one machine. You could use something like lsyncd to automate this.
Keep in mind that just because you revoke a developers SSH key, does not mean you have removed any access they might have to that machine. A malicious person with SSH access might setup something like a reverse shell, or add various types of backdoors to the code they are working on.
I ended up adding back password authentication to SSH so I could just manage it with the user name and passwords on the server. Would be interested to see how other people approached this.
You can use LDAP, but you'll need to apply the OpenSSH patch and build it yourself. But you also get centralized account management as well.