AWS Management Tools

Different Ways of Passing Parameters Securely in CloudFormation

4 min read
Updated June 23, 2025
4,705 characters

--

Part 1: Performing a Manual Key Rotation

This process will replace the contents of the authorized_keys file on a target instance with a new public key, instantly revoking access for the old key.

Step 1: Generate a New SSH Key Pair

On your local machine, use the ssh-keygen command to create a new private key and its corresponding public key.


# This creates two files: new_key.pem (private) and new_key.pem.pub (public)

ssh-keygen -f new_key.pem -t rsa

Step 2: Copy the Public Key

You need the contents of the public key file (.pub). Use the cat command to display it, then copy the entire output string (starting with ssh-rsa...).


cat new_key.pem.pub

Step 3: Execute the Rotation via Run Command

  1. Navigate to Fleet Manager: In the AWS Management Console, go to AWS Systems Manager and select Fleet Manager from the navigation pane.

  2. Select Target Instance(s): Choose one or more managed instances where you want to rotate the key.

  3. Initiate Run Command: From the Node actions dropdown menu, select Execute run command. This will open the Run Command console.

  4. Choose Command Document: In the "Command document" section, search for and select the AWS-RunShellScript document.

  5. Enter the Command: Scroll down to the Command parameters section. Paste the following command, making sure to replace <YOUR_COPIED_PUBLIC_KEY> and <INSTANCE_USERNAME> (e.g., ec2-user for Amazon Linux, ubuntu for Ubuntu).

    
# This command overwrites the existing authorized_keys file

echo "<YOUR_COPIED_PUBLIC_KEY>" > /home/<INSTANCE_USERNAME>/.ssh/authorized_keys

    Example:

    
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDuEnW...[rest of your key]..." > /home/ubuntu/.ssh/authorized_keys

  6. Execute: Scroll down, ensure your instances are correctly targeted, and click Run. You can monitor the command's progress until its status is "Success".

Step 4: Verify the Key Rotation

  1. Test the Old Key: Attempt to SSH into the instance with your old private key. The server should refuse the connection.

  2. Test the New Key: Set the correct file permissions on your new private key and use it to connect.

    
# Set correct, restrictive permissions on the private key file

chmod 400 new_key.pem



# Connect to your instance

ssh -i "new_key.pem" <INSTANCE_USERNAME>@<YOUR_INSTANCE_IP_OR_DNS>

    The connection should now succeed.

Part 2: Automating SSH Key Rotation

The manual method is effective for immediate, one-off rotations. However, a robust security posture requires that rotation happens automatically on a schedule. You can achieve this using other features within AWS Systems Manager.

Strategy for Automation

A common approach is to use an AWS Systems Manager Maintenance Window.

  1. Create a Custom SSM Document: While you can use the simple echo command, a better approach is to create a custom SSM Command or Automation document. This makes the process more reusable and allows for better error handling. The document can be parameterized to accept the public key as an input.

  2. Schedule with a Maintenance Window:

    • Navigate to Systems Manager > Maintenance Windows.

    • Create a window and define a recurring schedule (e.g., using a cron expression to run every 90 days).

    • Register Targets: Assign the instances that require key rotation to this window (e.g., by targeting all instances with a specific tag).

    • Register a Task: Add a task to the window that runs the AWS-RunShellScript document (or your custom document).

The Challenge of Dynamic Keys in Automation

The main challenge with fully automating this process is securely generating and supplying a new, unique public key for each scheduled run. A simple Maintenance Window task can't dynamically create keys.

A more advanced, fully automated solution would typically involve:

  • An AWS Lambda function that is triggered on a schedule.

  • The Lambda function generates a new key pair.

  • It stores the private key securely in AWS Secrets Manager.

  • It places the public key in SSM Parameter Store.

  • The Lambda function then invokes an SSM Run Command to deploy the public key (retrieved from Parameter Store) to the target instances.

By leveraging the different capabilities of AWS Systems Manager, you can move from a manual, reactive process to a fully automated, proactive security practice.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All