Rotating SSH Keys: Adding or Removing a Public Key on Your AWS EC2 Instance
Managing SSH keys is a crucial aspect of maintaining the security and accessibility of your AWS EC2 instances. Whether adding a new user, granting temporary access, or revoking permissions, understanding how to add or remove public keys is essential. This guide will walk you through the process of adding and removing a public keys on your AWS EC2 instance.
When you launch an instance, you can specify a key pair.
If you specify a key pair at launch, when your instance boots for the first time, the public key material is placed on your Linux instance in an entry within ~/.ssh/authorized_keys.
You can change the key pair that is used to access the default system account of your instance by adding a new public key on the instance, or by replacing the public key (deleting the existing public key and adding a new one) on the instance. You can also remove all public keys from an instance.
Reasons for Changing a Public Key
Several reasons might lead to changing the public key of our EC2 instance.
Compromised Key: If someone has a copy of the private key (.pem file) and you want to prevent them from connecting to your instance (for example, if they’ve left your organization), you can delete the public key on the instance and replace it with a new one.
Adding a New User: When a new team member needs access to the instance, you must add their public key.
Key Rotation Policy: As part of your security best practices, regularly rotating keys helps mitigate the risk of key compromise.
Revoking Access: When a user no longer requires access, removing their public key ensures they cannot connect to the instance.
Temporary Access: Granting temporary access to a user for a specific task or duration, after which the key is removed.
Lost Key: If you’ve lost access to your private key, you’ll need to add a new key pair to regain access.
If a user in your organization requires access to the system user using a separate key pair, you can add the public key to your instance.
To achieve this goal, Let’s proceed as follows.
Launch an EC2 instance.
Log in to the AWS management console as an admin user. Search for EC2 in the search bar then select EC2.
Click instances in the left UI of the EC2 dashboard then click Launch instance.
Fill in the instance details, select the Ubuntu image, and move within the free tier with t2. Micro.
Select your key pairs then scroll down.
Leave networking as default and select Create New Security Group, with port 22 open for SSH.
Leave other settings as default, scroll down, review then click launch instance.
Click the launched instance ID, then copy the instance public IP then let’s proceed to SSH into our instance.
Type in the following command to ssh into your server.
ssh -i <keyname.pem> user@publicIP
Successfully logged into our server.
Let’s move to the .ssh directory where the authorized_key file is located.
List the contents, of the .ssh directory and then cat the contents of the authorized_keys. You will see your public key.
To add or remove the public key, this is the file we have to edit.
I have the following keys, in my AWS account.
Retrieve the public key material using the bellow command.
Using a text editor of your choice, open the .ssh/authorized_keys file on the instance. Delete the old public key information, add the new one then save the file.
Let’s disconnect from our instance, and test if we can connect back using the new private key file.
Success, we have now logged back to our EC2 instance using the new key pair.
Clean up.
Conclusion
Managing SSH keys on your AWS EC2 instances is a straightforward yet vital task to ensure secure access. By following the steps outlined above, you can easily add or remove public keys, thus maintaining control over who can access your servers.
Thanks for reading and stay tuned for more.
If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at [email protected].
Thank you!