Which solution will meet this requirement with the LEAST amount of administrative overhead?
Use AWS Systems Manager Session Manager to connect to the EC2 instances.
Use AWS Security Token Service (AWS STS) to generate one-time SSH keys on demand.
Allow shared SSH access to a set of bastion instances. Configure all other instances to allow only SSH access from the bastion instances.
Use an Amazon Cognito custom authorizer to authenticate users. Invoke an AWS Lambda function to generate a temporary SSH key.
Explanations:
AWS Systems Manager Session Manager provides a secure and managed way to access EC2 instances without the need for SSH keys. It allows administrators to connect to instances directly through the AWS Management Console or AWS CLI, eliminating the need for shared keys and reducing administrative overhead. Additionally, it provides session logging and auditing capabilities, enhancing security.
While AWS Security Token Service (AWS STS) can generate temporary credentials, it does not directly generate SSH keys. Implementing a solution that creates on-demand SSH keys would require additional complexity and management, which is counterproductive to the goal of reducing administrative overhead.
Using bastion instances allows for controlled access to other instances, but it still involves shared SSH keys unless replaced with individual user keys or other authentication methods. This option introduces additional management overhead in maintaining the bastion host and does not fully comply with the requirement to eliminate shared keys.
Implementing an Amazon Cognito custom authorizer and a Lambda function to generate temporary SSH keys is overly complex and introduces significant administrative overhead. This solution requires additional setup, management of the Lambda function, and integration with Cognito, which does not align with the requirement for minimal administrative burden.
I plan that the answer is:
Use AWS Systems Manager Session Manager to connect to the EC2 instances.