Virigoth posted:

We're currently running a growing deployment in Amazon Web Services for our software. Right now we use a centralized SSH key (WTF YOU GUYS) to login to hosts in our VPC. I'm investigating more secure and manageable ways to do this. What I'd like to do is have everyone create an SSH key pair and control access with an authorized_keys list to these instances. Has anyone ever done anything like this? The internet is pretty sparse on best practices and ideas on how to accomplish this.

Here is what I'm thinking will be the best solution:
1.) Have all the users create key pairs for their username in all the environments they have access to.
2.) Make sure users have an IAM role that allows them to SSH to the servers through the VPC and Bastion host
3.) Setup some sort of puppet script (which we run hourly on all of our EC2 instances) which maintains the authorized keys list

This would make it easy to maintain the authorized_keys list and create something manageable for our DevOps team when a new user is added/leaves the company. If this worked in a pilot situation it would be pretty easy to automate out the puppet side of things I'm pretty sure.