Now that we have a mature approach for ssh with transient keys using ssm, we do not need key pairs within EC2 at all.
Any non-transient key is implicitly less secure as it represents a long-lived (and thus more likely to leak) access method to an instance. Therefore, we should consider all key pairs to be a security risk and discourage their use.
To encourage this, it would make sense to add a new check for SHQ detailing, in order:
1) Launch Configs with specified Key Pair names
2) Key Pairs
3) Running instances with specified key pairs
All the above should now be considered 'bad'.
Note that removing key pairs which are specified in a launch config can make it impossible to auto-scale. Thus point 1 above must be addressed before point 2. This should perhaps be made clear.
katebee
commented
5 years ago
Now that we have a mature approach for ssh with transient keys using ssm, we do not need key pairs within EC2 at all.
Any non-transient key is implicitly less secure as it represents a long-lived (and thus more likely to leak) access method to an instance. Therefore, we should consider all key pairs to be a security risk and discourage their use.
To encourage this, it would make sense to add a new check for SHQ detailing, in order:
1) Launch Configs with specified Key Pair names 2) Key Pairs 3) Running instances with specified key pairs
All the above should now be considered 'bad'.
Note that removing key pairs which are specified in a launch config can make it impossible to auto-scale. Thus point 1 above must be addressed before point 2. This should perhaps be made clear.