Cloud Provider Integration
Cloud Provider Integration
Section titled “Cloud Provider Integration”SSH-KLM discovers and manages SSH keys across major cloud providers, providing unified visibility into key usage on AWS EC2, Azure VMs, and GCP Compute Engine instances.
Overview
Section titled “Overview”Cloud SSH key discovery works through two mechanisms:
- API-based discovery – SSH-KLM queries cloud provider APIs to enumerate key pairs, instance metadata, and SSH configurations
- Agent-based discovery – The SSH-KLM agent installed on instances scans
authorized_keysfiles and reports back to the platform
┌─────────────────────────────────────────────────────┐│ SSH-KLM Platform ││ ││ ┌─────────┐ ┌─────────┐ ┌─────────┐ ││ │ AWS │ │ Azure │ │ GCP │ ││ │ Connector│ │Connector│ │Connector│ ││ └────┬────┘ └────┬────┘ └────┬────┘ │└───────┼──────────────┼──────────────┼────────────────┘ │ │ │ ▼ ▼ ▼┌──────────┐ ┌──────────┐ ┌──────────┐│ AWS API │ │ Azure API│ │ GCP API ││ • EC2 │ │ • Compute│ │ • Compute││ • IAM │ │ • AAD │ │ • OS Login│└──────────┘ └──────────┘ └──────────┘AWS EC2
Section titled “AWS EC2”Key Discovery Methods
Section titled “Key Discovery Methods”SSH-KLM discovers AWS SSH keys through:
| Method | What It Finds |
|---|---|
| EC2 Key Pairs API | Named key pairs registered in the account |
| Instance metadata | Key pair name associated with each instance |
| Agent scan | All authorized_keys entries on running instances |
| IAM SSH keys | SSH public keys attached to IAM users |
Configuration
Section titled “Configuration”- Navigate to Settings → Cloud Connectors → AWS
- Provide credentials:
{ "provider": "aws", "credentials": { "access_key_id": "AKIA...", "secret_access_key": "...", "regions": ["us-east-1", "us-west-2", "eu-west-1"] }, "discovery": { "ec2_key_pairs": true, "instance_metadata": true, "iam_ssh_keys": true, "scan_interval_minutes": 60 }}Alternatively, use an IAM role with the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "iam:ListSSHPublicKeys", "iam:GetSSHPublicKey" ], "Resource": "*" } ]}Discovery Results
Section titled “Discovery Results”After discovery, SSH-KLM displays:
- Key pair name and fingerprint
- Associated instances (by instance ID and name tag)
- Key algorithm and age
- Whether the key is managed or unmanaged
- Instances using deprecated key types (e.g., RSA-1024)
Azure VMs
Section titled “Azure VMs”Key Discovery Methods
Section titled “Key Discovery Methods”| Method | What It Finds |
|---|---|
| Azure SSH Public Keys API | SSH keys stored as Azure resources |
| VM configuration | SSH keys configured in VM admin settings |
| Managed Identity | Service principal SSH configurations |
| Agent scan | All authorized_keys on running VMs |
Configuration
Section titled “Configuration”- Navigate to Settings → Cloud Connectors → Azure
- Register an App Registration or use Managed Identity:
{ "provider": "azure", "credentials": { "tenant_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "client_secret": "...", "subscription_ids": ["sub-1", "sub-2"] }, "discovery": { "ssh_public_keys": true, "vm_configurations": true, "managed_identity": true, "scan_interval_minutes": 60 }}Required Azure RBAC role: Reader on target subscriptions, plus:
Microsoft.Compute/virtualMachines/readMicrosoft.Compute/sshPublicKeys/readMicrosoft.Network/networkInterfaces/readDiscovery Results
Section titled “Discovery Results”- SSH public key resources and their resource groups
- VMs with SSH keys configured (admin user keys)
- Key algorithm and creation date
- Association between keys and VMs
GCP Compute Engine
Section titled “GCP Compute Engine”Key Discovery Methods
Section titled “Key Discovery Methods”| Method | What It Finds |
|---|---|
| OS Login API | SSH keys managed through OS Login |
| Project metadata | Project-level SSH keys (legacy) |
| Instance metadata | Instance-level SSH keys |
| Agent scan | All authorized_keys on running instances |
Configuration
Section titled “Configuration”- Navigate to Settings → Cloud Connectors → GCP
- Provide a service account key:
{ "provider": "gcp", "credentials": { "service_account_key": "/path/to/service-account.json", "projects": ["my-project-1", "my-project-2"] }, "discovery": { "os_login_keys": true, "project_metadata_keys": true, "instance_metadata_keys": true, "scan_interval_minutes": 60 }}Required IAM roles:
roles/compute.viewerroles/oslogin.reader(for OS Login keys)
OS Login vs. Metadata Keys
Section titled “OS Login vs. Metadata Keys”| Feature | OS Login | Project Metadata | Instance Metadata |
|---|---|---|---|
| Scope | Per-user | All instances in project | Single instance |
| Management | IAM-integrated | Manual | Manual |
| 2FA support | Yes | No | No |
| Recommended | Yes | Legacy | Legacy |
Discovery Results
Section titled “Discovery Results”- OS Login keys per user with expiration dates
- Project-level SSH keys and affected instances
- Instance-level SSH key overrides
- Keys using deprecated algorithms
Comparison: Cloud Provider SSH Key Capabilities
Section titled “Comparison: Cloud Provider SSH Key Capabilities”| Capability | AWS EC2 | Azure VMs | GCP Compute |
|---|---|---|---|
| Native key pair management | ✅ | ✅ | ✅ (OS Login) |
| Key rotation API | ❌ | ❌ | ✅ (OS Login) |
| Key expiration | ❌ | ❌ | ✅ (OS Login) |
| Per-instance keys | ✅ | ✅ | ✅ |
| Centralized key store | ❌ | ✅ (SSH Public Keys) | ✅ (OS Login) |
| IAM integration | Partial (IAM SSH keys) | ✅ (RBAC) | ✅ (IAM) |
| Audit logging | CloudTrail | Activity Log | Cloud Audit Logs |
| Agent support | ✅ | ✅ | ✅ |
Step-by-Step: AWS EC2
Section titled “Step-by-Step: AWS EC2”- Create IAM credentials with the required permissions (see policy above)
- Add AWS connector in SSH-KLM Settings → Cloud Connectors
- Run initial discovery – SSH-KLM scans all configured regions
- Review discovered keys in the Keys inventory (filtered by cloud provider)
- Install agents on instances for
authorized_keysfile scanning - Set policies to flag unmanaged or deprecated keys
Step-by-Step: Azure VMs
Section titled “Step-by-Step: Azure VMs”- Register an App in Azure AD with required permissions
- Add Azure connector in SSH-KLM Settings → Cloud Connectors
- Run initial discovery across configured subscriptions
- Review discovered keys including SSH Public Key resources
- Install agents on VMs for file-level scanning
- Configure alerts for keys without rotation
Step-by-Step: GCP Compute
Section titled “Step-by-Step: GCP Compute”- Create a service account with Compute Viewer and OS Login Reader roles
- Add GCP connector in SSH-KLM Settings → Cloud Connectors
- Run initial discovery across configured projects
- Review OS Login keys and metadata-based keys separately
- Recommend OS Login migration for instances using legacy metadata keys
- Install agents for comprehensive
authorized_keysscanning
Best Practices
Section titled “Best Practices”- Use cloud-native IAM roles (not static credentials) where possible
- Enable agent-based discovery alongside API discovery for complete coverage
- Schedule discovery scans at least every 60 minutes
- Tag cloud resources with
ManagedBy: ssh-klmfor tracking - Migrate from legacy metadata keys to OS Login (GCP) or managed key resources
- Set up alerts for keys older than your rotation policy threshold