How to protect EC2 machine from being accessed via key-pair

Question

1. Launch an EC2 instance
2. Create a separate key-pair for SSH access
3. Provide this key-pair to few developers (say dev1, dev2, dev3)
4. dev3 leaves the company
5. How to revoke permissions for a dev3 user in such a case

Answer 1

When SSH is used to connect to a Linux computer, a private keypair is provided.

The Linux system will then check in the user's home directory for keys that are authorized to login. For example, if the user is ec2-user, it will look in /home/ec2-user/.ssh/authorized_keys.

If the matching public keypair is found, then the user is permitted to login.

Therefore, the recommended process is:

• Each user should generate their own keypair. They can do this in the EC2 management console, or on the command line using ssh-keygen. They should keep the private keypair to themselves, but provide an Admin with the public keypair. This is done to ensure that nobody else has ever seen the private keypair (it's like a password).
• The public keypair should be copied to Linux computer and added to the appropriate user's ~/.ssh/authorized_keys file. This could be a shared user like ec2-user, or it could be a separate login for each user.
• If somebody leaves the company, simply remove their keypair from the authorized_keys file.

Since you have been using a shared keypair, you should remove that keypair immediately. Then, ask authorized users to create their own keypair, provide it to you, and then put them in the authorized_keys file.