Best practice for storing EC2 SSH keys, SQL Server encryption keys (SMK, DMK), other encryption keys

Question

Hi all,
I'm looking for best practices on where to store the SSH key that is created when a Linux EC2 instance is created. In our environment, we join our instances to a domain and protect them with a MFA solution, therefore, individual SSH key pairs are not required per user. However, this still leaves us with the initial SSH key pair that is generated when first creating the instance.

What options (if any) does AWS provide for storing these types of keys? I've Secrets Manager mentioned. I'm looking for any and all options available for the various types of keys.

Thanks!

Riku_Kobayashi · Accepted Answer

Hello.

I think it would be a good idea to store the key pair in the Systems Manager Parameter Store and restrict who can access it using IAM policies, etc.  
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html  
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html#create-key-pair-cloudformation

I recommend reading the FAQ document below for the differences between Secrets Manager and Parameter Store.  
https://aws.amazon.com/systems-manager/faq/?nc1=h_ls#Parameter_Store

MikeLim · Answer

You can launch a EC2 instance without associating a key pair.
 
I would suggest you enable [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) and optionally [EC2 Instance Connect](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-linux-inst-eic.html) in the event  you need to access your Linux instance.

Best practice for storing EC2 SSH keys, SQL Server encryption keys (SMK, DMK), other encryption keys

Add your answer

Relevant content