Can I register a key pair of kms as a key pair for SSH login on an EC2 node?
I would like to use Terraform to manage it.
AWS KMS cannot, as of 2020-06-20, be directly used to manage SSH keys.
You can use KMS to generate RSA and ECC data keys with it for client side encryption operations, but you would have to manage those keys yourself.
AWS KMS currently supports:
KMS customer master keys (CMKs) for service-side encryption (expensive and likely too high latency for practical use from an SSH client):
AWS KMS supports symmetric and asymmetric CMKs.
- Symmetric CMK: Represents a single 256-bit secret encryption key that never leaves AWS KMS unencrypted. To use your symmetric CMK, you must call AWS KMS.
- Asymmetric CMK: Represents a mathematically related public key and private key pair that you can use for encryption and decryption or signing and verification, but not both. The private key never leaves AWS KMS unencrypted. You can use the public key within AWS KMS by calling the AWS KMS API operations, or download the public key and use it outside of AWS KMS.
Using an assymetric CMK with SSH would require a modified client or a plugin I'm unaware of and would be quite expensive and slow.
Data keys for use in client-side operations;
AWS KMS also provides symmetric data keys and asymmetric data key pairs that are designed to be used for client-side cryptography outside of AWS KMS. The symmetric data key and the private key in an asymmetric data key pair are protected by a symmetric CMK in AWS KMS.
- Symmetric data key — A symmetric encryption key that you can use to encrypt data outside of AWS KMS. This key is protected by a symmetric CMK in AWS KMS. *Asymmetric data key pair — An RSA or elliptic curve (ECC) key pair that consists of a public key and a private key. You can use your data key pair outside of AWS KMS to encrypt and decrypt data, or sign messages and verify signatures. The private key is protected by a symmetric CMK in AWS KMS.
Using an asymmetric data key from KMS would be more practical, but would require either a modified client to use a CMK to unwrap it or would require you to manage the encryption of the key itself on the client side using your SSH client's features.
You would also need to add the public key to the hosts you are logging into. One example would be to generate a CMK with Terraform and use a null_resource provisioner to create an asymmetric data key from it.
You could then obtain the asymmetric data key's public key and add it as a keypair to EC2 for use in provisioning instances.
This is terribly elaborate and unlikely to be worth the complexity. You are better off using ssh-keygen locally.