Logo of Trend Micro

Unused AWS EC2 Key Pairs

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: EC2-056

Identify and remove any unused Amazon EC2 key pairs in order to adhere to AWS security best practices and protect against unapproved SSH access. An SSH key pair is evaluated as unused when is not associated with any of the EC2 instances available in the same AWS region.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Removing unused SSH key pairs can significantly reduce the risk of unauthorized access to your AWS EC2 instances as these key pairs can be reassociated at any time, providing access (usually by mistake) to the wrong users. Ideally, you will want to restrict access to your EC2 resources for all individuals who leave your organization, department or project that still possess the private key from the SSH key pair used.

Audit

To determine if you have any unused Amazon EC2 key pairs still available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Key Pairs.

04 Select the EC2 key pair that you want to examine.

05 Copy the name of the selected key displayed as the value of the Key pair name attribute, available within the EC2 dashboard bottom panel.

06 Go back to the navigation panel and under INSTANCES section choose Instances.

07 On the EC2 dashboard, click inside the attributes filter box located under the dashboard top menu, choose Key Name parameter from the dropdown list, paste the key pair name copied at step no. 5 and press Enter. To search for active EC2 instances only, choose Instance State then select Running from the dropdown list. This filtering method, i.e.

search for active EC2 instances only

will help you to determine if there are any EC2 instances that match the selected criteria, available in the current AWS region. If no AWS EC2 instances matching your filter criteria are found, the selected EC2 SSH key pair is not associated with any instances provisioned in the current region, therefore the EC2 key pair is not being used and should be removed from your account.

08 Repeat steps no. 3 – 7 to determine the status for other EC2 SSH key pairs provisioned within the current region.

09 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run describe-key-pairs command (OSX/Linux/UNIX) using custom query filters to list the names of all AWS EC2 key pairs provisioned in the selected region: 

aws ec2 describe-key-pairs
	--region us-east-1
	--query 'KeyPairs[*].KeyName'
	--output table

02 The command output should return a table with the requested key pair names: 

---------------------------
|    DescribeKeyPairs     |
+-------------------------+
|  WebServerDevSSHKey     |
|  WebServerProdSSHKey    |
|  CloudConformitySSHKey  |
+-------------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the name of the SSH key pair that you want to examine, returned at the previous step, and custom filtering to list the ID(s) of the active EC2 instance(s) currently associated with the selected SSH key pair: 

aws ec2 describe-instances
	--region us-east-1
	--filters Name=instance-state-name,Values=running Name=key-name,Values="WebServerDevSSHKey"
	--query 'Reservations[*].Instances[*].InstanceId'

04 The command output should return an array that contains the ID(s) of the EC2 instance(s) that match the filter criteria, otherwise it should return an empty array: 

[]

If the command output returns an empty array, i.e. [ ] (as shown in the example above), the selected SSH key pair is not currently associated with any of the EC2 instances provisioned in the current region, therefore the EC2 SSH key pair is not being used and should be removed from your AWS account.

05 Repeat step no. 3 and 4 to determine the status for other EC2 key pairs provisioned within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 6 to perform the audit process for other regions.

Remediation / Resolution

To decommission (remove) any unused EC2 key pairs provisioned within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Key Pairs.

04 Select the EC2 key pair that you want to remove (see Audit section part I to identify the right resource).

05 Click the Delete button from the dashboard top menu to initiate the key removal.

06 Within Delete Key Pair dialog box, review the key details to make sure you delete the right key, then click Yes to confirm the action.

07 Repeat steps no. 4 – 6 to delete other unused AWS EC2 SSH key pairs available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run delete-key-pair command (OSX/Linux/UNIX) using the identifier (name) of the SSH key pair that you want to delete (see Audit section part II to identify the right EC2 resource), to remove the selected unused EC2 key pair from your AWS account. The following command examples removes an EC2 key pair named "WebServerDevSSHKey" available within the US East (N. Virginia) region (if the command succeeds, no output is returned): 

aws ec2 delete-key-pair
	--region us-east-1
	--key-name WebServerDevSSHKey

02 Repeat step no. 1 to delete other unused AWS EC2 SSH key pairs provisioned in the selected region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the entire process for other regions.

References

Publication date Jul 12, 2017

Related EC2 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Unused AWS EC2 Key Pairs

Risk level: Medium