Now that we have a mature approach for ssh with transient keys using ssm, we do not need key pairs within EC2 at all.
Any non-transient key is implicitly less secure as it represents a long-lived (and thus more likely to leak) access method to an instance. Therefore, we should consider all key pairs to be a security risk and discourage their use.
To encourage this, it would make sense to add a new check for SHQ detailing, in order:
- Launch Configs with specified Key Pair names
- Key Pairs
- Running instances with specified key pairs
All the above should now be considered 'bad'.
Note that removing key pairs which are specified in a launch config can make it impossible to auto-scale. Thus point 1 above must be addressed before point 2. This should perhaps be made clear.
Now that we have a mature approach for ssh with transient keys using ssm, we do not need key pairs within EC2 at all.
Any non-transient key is implicitly less secure as it represents a long-lived (and thus more likely to leak) access method to an instance. Therefore, we should consider all key pairs to be a security risk and discourage their use.
To encourage this, it would make sense to add a new check for SHQ detailing, in order:
All the above should now be considered 'bad'.
Note that removing key pairs which are specified in a launch config can make it impossible to auto-scale. Thus point 1 above must be addressed before point 2. This should perhaps be made clear.