Avoid Sharing Key Pairs for EC2

Andreas Wittig – 11 Mar 2016

Lock and key devices are used by mankind for more than 6.000 years. Whether mechanical, electrical or digital, the concept stays the same: a key is needed to access resources behind a lock. Technology has made incredible progress since then. But one problem is still the same: managing keys.

Lock and key devices

After installing a lock, you need to answer the question: Who needs a key?

  • With each key you hand over the risk of misuse increases.
  • With each key you withhold the effort of accessing resources increases.

Balancing these oppositions is an important part of managing keys. And it’s getting more and more complex with each additional lock.

EC2 Key Pairs

A key is needed to access an EC2 instance over SSH. The key consists of a private key and a public key called Key Pair.

You are able to manage your keys with the help of the AWS Management Console. The following example shows a screenshot of a Key Pair named mykey.

Manage Key Pairs with AWS Management Console

The key management allows you to create, import and delete multiple keys for the use with EC2 instances.

When you launch an EC2 instance you can select one of your keys to allow SSH access. AWS will then add that key to your instance. The last step when starting an EC2 instance via the AWS Management Console is shown in the following screenshot.

Choose Key Pair for EC2 instance

In this case the Key Pair named mykey was chosen. The key mykey is needed when establishing an SSH connection to that EC2 instance.

ssh -i ~/.ssh/mykey ec2-user@52.123.456.789

AWS implemented a secure way to manage keys to authenticate when establishing a SSH connection.

Andreas and Michael Wittig

Hej, Andreas & Michael here!

We launched the cloudonaut blog in 2015. Since then, we have published 325 articles: small tips and tricks, best practices, and service reviews. We enjoy writing about all things AWS a lot.

Do you like our blog posts and podcast episodes? Have you learned something new? Consider supporting us create in-depth and independent AWS content. Please help us with a monthly or one-time payment through GitHub Sponsors.

Start supporting us today!

Problematic Default

If you read through security guidelines, for example the Operational Checklists for AWS you will always find the same requirements for SSH keys:

  • Every user uses its own SSH key. Don’t share keys between users.
  • Access to EC2 instances via SSH is restricted to the minimum number of users. Only users who really need to be able to log into an EC2 instance are able to do so.

Unfortunately it is only possible to select a single Key Pair when launching an EC2 instance. And it’s not possible to change the Key Pair for a running EC2 instance.

That’s one reason why I’ve seen many AWS accounts with shared Key Pairs while doing Security Reviews for my consulting customers.


Adding multiple keys to an EC2 instance is possible with the help of User Data. User Data allows you to provision an EC2 instance during bootstrapping.

The following example includes a cloud-init configuration. The configuration contains two users jdeoand jroe and their public SSH key, the public part of the Key Pair.

- default
- name: jdoe
gecos: John Doe
- ssh-rsa ...
- name: jroe
gecos: Jane Roe
- ssh-rsa ...

This allows you to add the public parts of your Key Pairs to your CloudFormation template. You are able to manage your keys with the help of Infrastructure as Code. The cloud-init script from above is embedded into the CloudFormation template.

The following example shows a CloudFormation template including an EC2 instance.

"EC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-bff32ccc",
"InstanceType": "t2.micro",
"SecurityGroupIds": "...",
"SubnetId": "...",
"UserData": {"Fn::Base64": {"Fn::Join": ["\n", [
" - default",
" - name: jdoe",
" gecos: John Doe",
" ssh-authorized-keys:",
" - ssh-rsa ...",
" - name: jroe",
" gecos: Jane Roe",
" ssh-authorized-keys:",
" - ssh-rsa ..."

There isn’t just one way of doing it. So let’s have a look at other solutions as well.

More Solutions

Think about the Key Pairs as a delivery artifact that needs to be deployed onto your EC2 instances. Other solutions to manage Key Pairs for EC2 instances are:

  • Use CodeDeploy and a delivery pipeline to add, update, or delete keys on your EC2 instances.
  • Use the AuthorizedKeysCommand of SSH to load keys on-demand.
  • Integrate SSH authentication with a directory service or identity broker (e.g. Active Directory, LDAP, …)
  • Get rid of SSH access. I’m not joking. Infrastructure as Code, Automated Deployments, Centralized Logging and Monitoring allows you to turn off SSH completely.


Two simple rules for using Key Pairs to control access to EC2 instances via SSH:

  1. Every user uses its own SSH key. Don’t share keys between users.
  2. Access to EC2 instances via SSH is restricted to the minimum number of users.

EC2 doesn’t support multiple Key Pairs by default. And updating Key Pairs (adding new keys, replacing existing keys, or deleting existing keys) is not supported by default.

User Data allows you to deploy a bunch of Key Pairs on an EC2 instance during bootstrapping. CloudFormation and cloud-init simplify the task of creating users and adding the public part of their Key Pairs to an EC2 instance.

Tags: aws security ec2
Andreas Wittig

Andreas Wittig

I'm an independent consultant, technical writer, and programming founder. All these activities have to do with AWS. I'm writing this blog and all other projects together with my brother Michael.

In 2009, we joined the same company as software developers. Three years later, we were looking for a way to deploy our software—an online banking platform—in an agile way. We got excited about the possibilities in the cloud and the DevOps movement. It’s no wonder we ended up migrating the whole infrastructure of Tullius Walden Bank to AWS. This was a first in the finance industry, at least in Germany! Since 2015, we have accelerated the cloud journeys of startups, mid-sized companies, and enterprises. We have penned books like Amazon Web Services in Action and Rapid Docker on AWS, we regularly update our blog, and we are contributing to the Open Source community. Besides running a 2-headed consultancy, we are entrepreneurs building Software-as-a-Service products.

We are available for projects.

Feedback? Questions? Drop me a line: Email, Twitter, LinkedIn.

Briefcase icon
Hire me