Best Practices: AWS EC2 Private Keys

Just to expand on @steenhulthin answer.

I think it's best to think of the EC2 generated key pair as the master key into the instance and it's optional. It's not a system for managing user level access.

I beleive best practice is as follows

Do I need to remotely login to the instance?

YES: Create EC2 instance with a key pair

I believe the best practice is to create a EC2 key pair per instance. If a key pair get's compromised exposure is limited to just that instance. However a key pair per instance may be difficult to manage, if this is the case find some logical way to group your instances and use a key pair per group. E.g. group by role or role and application.

NO: Create EC2 instance with no key pair.

This is obviously more secure as you have no key to lose/compromised. The instance is inherently not accessible through conventional methods. Following this method requires instance management/config to be fully automated (Chef, Puppet etc.) and is a more costly option. Overall how much more secure this makes the instance is up for debate and depends on how your automation is configured.

What's the best practices for managing your EC2 key pairs? This is the one I don't have a good answer for at the moment.

Do you need to allow humans to remotely access the instances? As suggested by @steenhulthin either create local user accounts per user or use some centralised Athentication and Authorisation.

In addition you can also maintain a dedicated instance for remote management access (SSH or RDP), only open this up for public access (IP address wise) and restrict SSH and/or RDP on all other instances to the management station.


I think this question might fit better for serverfault.com.

That said: If you work alone on the instances I do not see any point in creating a keypair per instance. I think the keypair should be per user.

If multible users should access the machines I would add a new keypair on the ec2 instance as described here: https://forums.aws.amazon.com/message.jspa?messageID=185184 and a bit more elaborate on the keypair generation process here: http://seabourneinc.com/2011/01/19/change-key-pairs-on-aws-ec2-instance/


I wrote up an article on SSH best practices including key management, port forwarding and agent forwarding. You may find it useful. Here is the link.

Some good things to do are:

  1. Have one SSH key per person
  2. Guard your SSH key - never share the private key, encrypt if possible
  3. Never use AWS generated keys
  4. Use individual login (user) IDs, don't use common logins.

There are also other things related to SSH and user access the article mentions.