In our organization, we manage a considerable number of EC2 instances. In past we've been distributing SSH keys to users for login access, but this approach poses security risks if the keys are compromised.
I'm exploring alternative solutions to securely manage user access. My initial thought is to leverage IAM to restrict user access on a per-EC2 basis and revoke access by removing roles. However, if IAM isn't suitable for this purpose, I'm also considering utilizing Amazon's managed AWS Directory Service.
Could someone advise on how to implement user access control using IAM or AWS Directory Service? Additionally, I'm open to suggestions for other services that offer granular access control, including the ability to revoke access policies and restrict logins on a per-EC2 level.
To control access via IAM, use either AWS Systems Manager Session Manager or EC2 Instance Connect. Session Manager does a better job of tracking access. Both allow connectivity to instances in private subnets when configured correctly.
To control access via Active Directory then you can Join an Amazon EC2 instance to your AWS Managed Microsoft AD Active Directory - AWS Directory Service, which involves storing a domain secret in Secrets Manager.
If you choose to keep using SSH keys, then:
ec2-user)