|
We're currently running a growing deployment in Amazon Web Services for our software. Right now we use a centralized SSH key (WTF YOU GUYS) to login to hosts in our VPC. I'm investigating more secure and manageable ways to do this. What I'd like to do is have everyone create an SSH key pair and control access with an authorized_keys list to these instances. Has anyone ever done anything like this? The internet is pretty sparse on best practices and ideas on how to accomplish this. Here is what I'm thinking will be the best solution: 1.) Have all the users create key pairs for their username in all the environments they have access to. 2.) Make sure users have an IAM role that allows them to SSH to the servers through the VPC and Bastion host 3.) Setup some sort of puppet script (which we run hourly on all of our EC2 instances) which maintains the authorized keys list This would make it easy to maintain the authorized_keys list and create something manageable for our DevOps team when a new user is added/leaves the company. If this worked in a pilot situation it would be pretty easy to automate out the puppet side of things I'm pretty sure.
|
# ¿ Aug 27, 2014 13:54 |
|
|
# ¿ May 17, 2024 14:19 |
|
That is another option we're considering. I'm just a tester who was asked to look at this as an outside eye so I won't(Hopefully) do any of the implementation on this. JumpCloud is a service we were looking at to do the LDAP stuff for us.
|
# ¿ Aug 27, 2014 15:34 |
|
Stanley Pain posted:It's too late, you've already been nominated to implement this fully. Yes.
|
# ¿ Sep 3, 2014 18:29 |