AWS EC2 Instance SSH Key Pair Management Policy | Best Practices

Managing SSH Key Pairs for EC2 Instances on AWS

Prev Question Next Question

Question

Your company is planning to host its AWS resources on AWS.

A company policy mandates that all SSH key pairs of EC2 instances are completely managed within the company itself.

Which of the following is the correct measure of following this policy?

Answers

A. Use the AWS KMS service to create the keys, and the company manages the key lifecycle thereafter.

B. Generate the key pairs for the EC2 Instances using tools such as ssh-keygen or puttygen.

C. Use the EC2 Key pairs that come with AWS.

D. Use S3 server-side encryption.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

You need to generate the SSH key pairs of EC2 Instances by third-party tools so that you can have complete control of the access keys.

Option A is incorrect because KMS does not manage the SSH key pairs of EC2 instances.

Option C is incorrect because it means that AWS has ownership of the keys.

And the question specifically mentions that you need ownership of the keys.

Option D is incorrect because S3 server-side encryption does not manage the SSH key pairs of EC2 instances.

For information on security for Compute Resources, please visit the below URL:

https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf

The correct measure to comply with the company policy of completely managing the SSH key pairs of EC2 instances within the company is option B - Generate the key pairs for the EC2 Instances using tools such as ssh-keygen or puttygen.

Here's an explanation of why the other options are not correct:

A. Use the AWS KMS service to create the keys, and the company manages the key lifecycle thereafter. Using the AWS KMS service to create the keys would mean that the keys are managed by AWS, not the company itself, which would violate the company policy. While the company could manage the key lifecycle after they are created, this does not address the initial creation of the keys, which is the main concern of the policy.

B. Generate the key pairs for the EC2 Instances using tools such as ssh-keygen or puttygen. This option is the correct measure to comply with the company policy. By generating the key pairs using tools such as ssh-keygen or puttygen, the company has complete control over the creation and management of the keys, ensuring compliance with the policy.

C. Use the EC2 Key pairs that come with AWS. Using the EC2 Key pairs that come with AWS would mean that the keys are managed by AWS, not the company itself, which would violate the company policy. While the company could manage the key lifecycle after they are created, this does not address the initial creation of the keys, which is the main concern of the policy.

D. Use S3 server-side encryption. S3 server-side encryption is not related to the management of SSH key pairs for EC2 instances. It is a method of encrypting data stored in S3 buckets. While encryption is an important aspect of security, it does not address the policy requirement of completely managing SSH key pairs for EC2 instances.

Prev Question Next Question