Which solution will meet these requirements?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company has Linux-based Amazon EC2 instances.Users must access the instances by using SSH with EC2 SSH key pairs.Each machine requires a unique EC2 key pair.The company wants to implement a key rotation policy that will, upon request, automatically rotate all the EC2 key pairs and keep the keys in a securely encrypted place.The company will accept less than 1 minute of downtime during key rotation.

Which solution will meet these requirements?

Store all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Secrets Manager.

Store all the keys in Parameter Store, a capability of AWS Systems Manager, as a string. Define a Systems Manager maintenance window to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Parameter Store.

Import the EC2 key pairs into AWS Key Management Service (AWS KMS). Configure automatic key rotation for these key pairs. Create an Amazon EventBridge scheduled rule to invoke an AWS Lambda function to initiate the key rotation in AWS KMS.

Add all the EC2 instances to Fleet Manager, a capability of AWS Systems Manager. Define a Systems Manager maintenance window to issue a Systems Manager Run Command document to generate new key pairs and to rotate public keys to all the instances in Fleet Manager.

Explanations:

This option effectively utilizes AWS Secrets Manager for secure storage of key pairs, allows for automated rotation through a Lambda function, and ensures that public keys on EC2 instances are updated seamlessly. The combination of Secrets Manager and Lambda enables the required functionality within the 1-minute downtime limit.

While AWS Systems Manager Parameter Store can store key pairs, it lacks built-in rotation capabilities like Secrets Manager. Using a maintenance window may introduce longer downtime than specified since the public key replacement process is not as automated or efficient as in Option A.

AWS KMS is designed for managing encryption keys rather than EC2 key pairs. Importing EC2 key pairs into KMS does not facilitate the desired rotation process, and KMS automatic key rotation is not applicable to SSH keys. This option does not meet the requirements effectively.

Fleet Manager provides management capabilities but does not directly facilitate the secure storage or automated rotation of EC2 key pairs. Using a maintenance window with Systems Manager Run Command may not achieve the required rotation and update of keys within the 1-minute downtime threshold.

2025-10-05

1 Comment

  1. Evelyn
    Author

    As I see it, the answer is:
    Store all the keys in AWS Secrets Manager. Define a Secrets Manager rotation schedule to invoke an AWS Lambda function to generate new key pairs. Replace public keys on EC2 instances. Update the private keys in Secrets Manager.

Leave a Reply to Evelyn Cancel reply

Your email address will not be published. Required fields are marked *

1 × one =