Don't Use SSH Keys With AWS EC2

Managing secure access to virtual machines (EC2) with ssh keys isn’t easy.

That’s why you should stop using ssh keys if you’re using AWS.

A best practice is to use AWS Systems Manager (SSM). SSM has a feature called Session Manager that allows you to do what you’d normally do with ssh, such as getting a terminal into a virtual machine.

Since SSM is an AWS offering, you use IAM to get access to virtual machines and not ssh keys.

Using IAM has the following benefits:

  • Fine-grained control over who has access to which machines.
  • Centralized access management: Manage permissions from one place without handing out keys to individual people. This also means using single sign-on (SSO) to automate who has access.
  • All session activity is logged to AWS CloudTrail, so you have an audit trail for any compliance needs.
  • You don’t need to expose your ssh port, have a bastion, or need to set up a VPN.

In addition to allowing you to get a shell into EC2 instances, you can also port forward to/from the instances.

You can read the session manager user guide here.

Join the 80/20 DevOps Newsletter

If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.

Not sure yet? Check out the archive.

Unsubscribe at any time.