We are running a number of environments on EC2 using VPC. In each VPC we have a hardened bastion host configured which is used as the initial SSH entry point into the network.
To access hosts within our private VPC subnets, a user first SSH to the bastion host and then SSH to other hosts within the subnets. To do this the user forwards the SSH keys (downloaded as .pem files from AWS) when they make the initial SSH connection. For example:
ssh -A ec2-user@bastion-host.on.aws
ssh ec2-user@app-server.on.aws
The whole purpose of the bastion host is to allow team members to securely access our environments providing they have both .pem keys. The team members are trusted and within a single organisation.
My question is: What is the best way for us to manage and distribute the .pem files within the team so that:
- Team members can find the correct .pem files for the environment they wish to connect to
- The storage of the .pem files is secure
- We can explicitly authorise individual users to access the keys
Any suggestions most welcome.