1

AWS typically uses SSH keys that get assigned on instance creation to facilitate access to EC2 instances through ssh. Those keys then typically get shared amongst the admin team to maintain the instances. Managing those keys for thousands of EC2 instances is inherently difficult as key rotation is burdensome and there's no restriction on who can use a key or not.

Therefore is the sharing of EC2 ssh keys amongst team members HIPAA and/or Sox compliant?

I know Instance Connect does a much better job of controlling ssh access by using IAM but surprisingly I have not seen many companies use Instance Connect yet. Sharing ssh keys seems to be much too common even among companies that require HIPAA or Sox compliance.

Bernie Lenz
  • 1,451
  • 16
  • 36

1 Answers1

2

AWS typically uses SSH keys that get assigned on instance creation to facilitate access to EC2 instances through ssh. Those keys then typically get shared amongst the admin team...

Nope.

The key used on creation should typically be replaced with your own fresh and trustworthy generated key right after the first connect. It's not shared. Only noobs share keys. Multiple users = multiple keys.

Sharing keys with access to sensitive data is not even fully GDPR compliant, so it's 100% not HIPAA compliant.

Disclaimer: I'm not a lawyer.

Daniel W.
  • 26,503
  • 9
  • 78
  • 128