AWS – Bastions with user-managed SSH keys

I recently architected a bastion solution to let employees manage their own SSH keys from the AWS interface. CodeCommit actually let you upload directly your SSH keys inside the IAM section of your user, a bit like on Github.

Benefits of this solution:

  • Nothing to manage once installed and configured
  • Let users update their public SSH keys themselves inside the console
  • Deploy the keys automatically and keep them up-to-date on all bastions and instances
  • Add and remove users on all Linux boxes automatically when you add/remove accounts in IAM
  • Linux usernames are generated based on IAM account email: -> pchapotet
  • Keys are automatically deployed on bastions and instances based on the VPC where they are located
  • Inexpensive: the lambda is running only when there is a change in IAM:
    • UploadSSHPublicKey, when anyone adds a SSH Key to an IAM user
    • UpdateSSHPublicKey, when anyone makes active or inactive a SSH key
    • DeleteSSHPublicKey, when anyone deletes a SSH Key
    • DeleteUser, when anyone deletes an IAM user
  • A single S3 GET operation is needed to update the SSH keys from bastions and instances

In the diagram above, I assume that you are following AWS best practices and that you have a central account to manage IAM users, one account for production and one for your development environment. Interested in digging into the code? It’s available here: