- Newest
- Most votes
- Most comments
Hello.
If you are using AWS, there may be connection methods available that do not require SSH private keys, so why not consider switching to one of those?
For EC2, it depends on the OS, but you can use Systems Manager Session Manager, etc.
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-an-amazon-ec2-instance-by-using-session-manager.html
If you absolutely need SSH, it's a good idea to register the private key in AWS Secrets Manager or Systems Manager Parameter Store so that you can download it when needed.
If you register it in AWS Secrets Manager or Systems Manager Parameter Store, you should also be able to restrict who can use it with IAM permissions.
I also think it would be possible to implement a mechanism to periodically update the private key.
https://github.com/jakebenn/aws-key-rotation-scripts/tree/master
Apart from Riku's answer, you can also create a new user with password (for example, user: admin, password: p@s$w0rd.12) using userdata. This will create the user when the EC2 is launched. Then, login to the system and change the password of the user. You can also have the password in secret manager and obtain it from there, so it won't be visible in the userdata.
Alternatively, you can create a base image (golden image) and have the user details already in it, Upon launch, login and change the password.
Once you have the password, you can login using ssh or EC2 serial console.
Relevant content
- AWS OFFICIALUpdated 2 years ago
Thanks for the reply, i have tried storing the password in secret manager and also implemented IAM policies attached to the existing roles of that ec2 instance. How can i connect with from putty it is looking for ssh authentication