AWS solution to let your users manage their SSH keys inside IAM and deploy these keys across all machines automatically
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

AWS - Bastions with user-managed SSH keys

In a few words

This repository contains a solution for Amazon Web Services (AWS) to let your users manage their SSH keys inside IAM (with SSH keys for AWS CodeCommit). SSH keys are then deployed automatically to bastions and instances across several AWS accounts without any action.




In order to use this solution you need to:

  • Set up Cloudtrail on your IAM account
  • Configure Cloudtrail to deliver to a CloudWatch Log Group, write down the name of your Log Group
  • Create one private bucket inside IAM account:
    • We will use "security-bucket" in this example
  • Make IAM groups for each VPC (you can also use the same)
  • Enable VPC Endpoints to S3 on each VPC
  • Use IAM accounts with the following format:

Lambda triggers

The lambda will be triggered on several Cloudtrail events:

  • UploadSSHPublicKey, when anyone adds a SSH Key to an IAM user
  • UpdateSSHPublicKey, when anyone makes active or inactive an SSH key
  • DeleteSSHPublicKey, when anyone deletes a SSH Key
  • DeleteUser, when anyone deletes an IAM user

The Cloudwatch filter used is: {($.eventName = UploadSSHPublicKey || $.eventName = DeleteSSHPublicKey || $.eventName = UpdateSSHPublicKey || $.eventName = DeleteUser) && ($.errorCode NOT EXISTS)}

How to deploy

  • Check requirements section above

  • Edit lambda configuration

    • Configuration file: lambda/generate-keys/config.yaml
    • Edit vpc-id, aws-account-id and iam-group as you wish to match your environment
  • Upload to S3 the lambda code

    • cd lambda/generate-keys/
    • Edit parameters
    • sh
    • is here if you want to update the lambda function in the future
  • Deploy lambda template inside IAM AWS account

    • templates-cloudformation/ if you prefer to use Cloudformation
    • templates-sceptre/ if you prefer to use Sceptre (
      • sceptre create-stack iam-account lambda
  • Add roles to your bastions and instances with at least the following permissions to the bucket you created

    • s3:GetObject
    • s3:ListBucket
    • Example:
             "Version": "2012-10-17",
             "Statement": [
                   "Effect": "Allow",
                   "Action": [
                   "Resource": [
  • Edit your bastions and instances userdata to make use of the new solution

    • For bastions: userdata-bastions/
    • For instances: userdata-instances/
  • Test the solution! Cloudtrail takes a few minutes to deliver the logs so be patient before it triggers the lambda, the cron job is scheduled every 5 minutes in userdata scripts by default but it can be reduced.


Paul Chapotet —