Enable Session Manager and delete shared ssh keys

Step 1 — Enable Session Manager

1. Go to the AWS Systems Manager console.
2. Ensure Session Manager is enabled.
3. Attach the AmazonSSMManagedInstanceCore IAM role to your EC2 instances (if not already attached).
4. Verify instances show up in Systems Manager under Managed Instances.

This gives you SSH‑free access to your EC2 fleet.

---

Step 2 — Verify Access

From the AWS console or CLI:

aws ssm start-session --target <instance-id>

You should be able to connect to the instance without SSH keys or a bastion host.

---

Step 3 — Remove Shared SSH Keys

Now you need to delete the old shared keys to meet compliance.

Option A — Manually:

• Connect via Session Manager.
• Edit or delete SSH authorized keys file:

sudo rm /home/ec2-user/.ssh/authorized_keys

Repeat for any other user accounts with SSH access.

---

Option B — Automate with Systems Manager Run Command:

1. Go to Systems Manager → Run Command.
2. Choose the document: AWS-RunShellScript.
3. Add the command to remove keys, for example:

rm /home/ec2-user/.ssh/authorized_keys
rm /root/.ssh/authorized_keys

1. Select all instances.
2. Execute the command.

This removes the keys from all instances in one go.

---

Step 4 — Audit & Verify

• Use Systems Manager or AWS Config to verify .ssh/authorized_keys is empty for all users.
• Check your compliance logs in AWS CloudTrail.

---

Step 5 — Lock Down Access

• Ensure no new SSH keys are deployed by:

  • Updating AMIs
  • Changing user-data scripts
  • Removing SSH key provisioning from automation pipelines

---

💡 Why this is efficient:
Using Session Manager + Run Command means you don’t manually log into hundreds of EC2 instances — you can remove all shared keys in minutes.