Repository files navigation

AWS does not allow you to modify the SSH key of EC2 instances, the option they suggest is to recreate the instance with a new key.

This repository provides an automated alternative for SSH key rotation with AWS services.

It allows the generation of Key Pairs and rotation over S3 Buckets, setting the new keys on the machines matching the defined TAG. In addition, it allows key modification when new EC2 machines are provisioned.

• Execute the script that allows to create the s3 where the TFSTATE will be stored../terraform/scripts/create_backend_config.sh../terraform/scripts/create_backend_config.sh example-bucket eu-west-1

• Modify the bucket config and the region in theterraform_config.tf file.

• Checkterraform.tfvars file and include your Public IP.

• Deploy code:terraform -chdir=terraform initterraform -chdir=terraform apply

• Test ssh instance:

ssh -i terraform/rsa.pem ec2-user@<public-ip>       __|  __|_  )       _|  (     /   Amazon Linux 2 AMI      ___|\___|___|https://aws.amazon.com/amazon-linux-2/12 package(s) neededfor security, out of 22 availableRun"sudo yum update" to apply all updates.$>

• You can run the AWS Kambda code by creating two test events:Rotate:

{"Records":[          {"eventSourceARN":"<arn-sqs-rotate>"          }       ]    }

Deploy:

{"Records":[          {"eventSourceARN":"<arn-sqs-deploy>"          }       ]    }

• Once executed, download the new keys./terraform/scripts/download_keys.sh <rotate-bucket-name>

• Check ssh instance:

ssh -i key_pairs/instance_key.pem ec2-user@<public-ip>Last login: Fri Jul 22 11:39:22 2022 from XX.XX.XX.XX       __|  __|_  )       _|  (     /   Amazon Linux 2 AMI      ___|\___|___|https://aws.amazon.com/amazon-linux-2/12 package(s) neededfor security, out of 22 availableRun"sudo yum update" to apply all updates.$>