Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH key pairs #152

Open
aug24 opened this issue Sep 16, 2019 · 1 comment
Open

SSH key pairs #152

aug24 opened this issue Sep 16, 2019 · 1 comment

Comments

@aug24
Copy link
Contributor

aug24 commented Sep 16, 2019

Now that we have a mature approach for ssh with transient keys using ssm, we do not need key pairs within EC2 at all.

Any non-transient key is implicitly less secure as it represents a long-lived (and thus more likely to leak) access method to an instance. Therefore, we should consider all key pairs to be a security risk and discourage their use.

To encourage this, it would make sense to add a new check for SHQ detailing, in order:

  1. Launch Configs with specified Key Pair names
  2. Key Pairs
  3. Running instances with specified key pairs

All the above should now be considered 'bad'.

Note that removing key pairs which are specified in a launch config can make it impossible to auto-scale. Thus point 1 above must be addressed before point 2. This should perhaps be made clear.
@katebee
Copy link
Contributor

katebee commented Sep 16, 2019

Sounds sensible to me 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aug24 @katebee