Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused AWS EC2 Key Pairs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-056

Identify and remove any unused Amazon EC2 key pairs in order to adhere to AWS security best practices and protect against unapproved SSH access. An SSH key pair is evaluated as unused when is not associated with any of the EC2 instances available in the same AWS cloud region.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Operational
excellence

Removing unused SSH key pairs can significantly reduce the risk of unauthorized access to your Amazon EC2 instances as these key pairs can be reassociated at any time, providing access (usually by mistake) to the wrong users. Ideally, you will want to restrict access to your Amazon EC2 resources for all individuals who leave your organization, department, or project, that still possess the private key from the SSH key pair used.


Audit

To determine if you have any unused Amazon EC2 key pairs still available within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Key Pairs.

04 Choose the key pair that you want to examine and copy the name of the key available in the Name column.

05 In the navigation panel, under Instances, choose Instances.

06 Click inside the Filter instances box located under the console top menu, choose Key name, paste the name of the key pair copied at step no. 4, then press Enter. This filtering technique will return only the Amazon EC2 instances associated with the selected key pair. If the filtering process does not return any EC2 instances, the selected key pair is not associated with an Amazon EC2 instance, therefore the SSH key pair is not being used and should be removed from your AWS cloud account.

07 Repeat steps no. 4 – 6 for each key pair available within the current AWS cloud region.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run describe-key-pairs command (OSX/Linux/UNIX) with custom query filters to describe the name of each instance key pair provisioned in the selected AWS region:

	aws ec2 describe-key-pairs
	--region us-east-1
	--query 'KeyPairs[*].KeyName'
	--output table
	

02 The command output should return a table with the requested key names:

	--------------------------
	|    DescribeKeyPairs    |
	+------------------------+
	|   CloudConformityKey   |
	|   WebServerDevSSHKey   |
	|   WebServerProdSSHKey  |
	+------------------------+
	

03 Run describe-instances command (OSX/Linux/UNIX) using the name of the SSH key pair that you want to examine as the identifier parameter and custom query filters to list the ID(s) of the Amazon EC2 instance(s) associated with the selected key pair:

	aws ec2 describe-instances
	--region us-east-1
	--filters Name=key-name,Values="CloudConformityKey"
	--query 'Reservations[*].Instances[*].InstanceId[]'
	

04 The command output should return an array with the requested EC2 instance identifiers (IDs):

	[]
	

If the describe-instances command output returns an empty array (i.e. []), as shown in the output example above, the selected key pair is not currently associated with an Amazon EC2 instance, therefore the SSH key pair is not being used and should be removed from your AWS cloud account.

05 Repeat steps no. 3 and 4 for each key pair available in the selected AWS cloud region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Remediation / Resolution

To decommission (remove) any unused Amazon EC2 key pairs from your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Key Pairs.

04 Select the Amazon EC2 key pair that you want to decommission.

05 Click on the Actions dropdown button from the console top menu and choose Delete.

06 Inside the <key-name> could be associated with one or more instances confirmation box, review the key pair details, type delete in the required field, then choose Delete to remove the selected key pair from your AWS cloud account.

07 Repeat steps no. 4 – 6 to decommission other unused SSH key pairs available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run delete-key-pair command (OSX/Linux/UNIX) using the name of the unused Amazon EC2 key pair that you want to decommission as the identifier parameter, to remove the selected key pair from your AWS cloud account (if successful, no output is returned for the delete-key-pair command):

aws ec2 delete-key-pair
  --region us-east-1
  --key-name CloudConformityKey

02 Repeat step no. 1 to decommission other unused SSH key pairs available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jul 12, 2017