AWS EC2: SSH access for new user to existing VMs

Question

A new developer joined our team and I need to grant him access to all VMs we have in AWS EC2. After reading a bunch of AWS docs it seems to me that we have two options:

1. Share the private key used when VMs were spun up with the developer
2. Have developer generate a new key pair and add his public key to authorized_keys on each VM.

Neither of options is ideal, because #1 violates security practices and #2 requires me to go to make changes to a bunch of VMs.

What's the recommended way to do this?

Answer 1

Have you checked out the feature Run Command to execute a simple script to add or remove users.

Answer 2

The question is rather broad, so my answer will be broad.

Yeah, sharing private keys is a bad thing. So I'll skip that and focus on the other portion.

It sounds like you want to centrally manage accounts, rather than manually adding/removing/modifying them on each individual server.

You can set up something like NIS to manage user accounts. This would require changes to every single VM.

If you use something like puppet, chef, or salt you can create recipes to control user access (e.g. pushing out public keys or even creating accounts and configuring sudo).

You can use something like pssh (parallel ssh) to execute commands on multiple hosts at the same time. It could simply add a public key to an existing authorized_keys file or even add a user, its key, and necessary sudo access. (Note: if you do this be very careful. A poorly written command could cut off access for everyone and cause unnecessary down time).

An aside: Having multiple users share a single account is a bad idea, generally a security and QA nightmare. Instead of allowing multiple access to the same account each user should have their own account with the minimal privileged access they need.

Do as you will.