AWS typically uses SSH keys that get assigned on instance creation to facilitate access to EC2 instances through ssh. Those keys then typically get shared amongst the admin team to maintain the instances. Managing those keys for thousands of EC2 instances is inherently difficult as key rotation is burdensome and there's no restriction on who can use a key or not.
Therefore is the sharing of EC2 ssh keys amongst team members HIPAA and/or Sox compliant?
I know Instance Connect does a much better job of controlling ssh access by using IAM but surprisingly I have not seen many companies use Instance Connect yet. Sharing ssh keys seems to be much too common even among companies that require HIPAA or Sox compliance.