How can the Security Engineer further protect currently running instances?
Delete the key-pair key from the EC2 console, then create a new key pair.
Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.
Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.
Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.
Explanations:
Deleting the key pair in the EC2 console only removes the key from future instances, not from the already running ones. Existing instances will still be vulnerable.
Themodify-instance-attributeAPI does not allow changing the SSH key pair on an already running EC2 instance. The instance would need to be stopped and restarted for the key change to take effect.
Using EC2 RunCommand to modify theauthorized_keysfile on EC2 instances allows immediate removal of the compromised SSH key and updating with a new key, ensuring protection of the instances.
Updating the key pair in an AMI only affects future instance launches from that AMI. It does not update the keys on currently running EC2 instances, which remain vulnerable.
I rank that the answer is:
Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.
It appears that the answer is:
Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.