It seems that KMS has support for generating data key pairs using the GenerateDataKeyPair API.
I assume SSH access is not what this key pair is intended to be used for. Would there be any valid reason not to though?
1 Answers
After reviewing the whitepages at:
ws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html
It does not appear that there would be any particular reason not to use this tool to generate private and public keys. In fact, this seems like a very good tool to use in a script for generating key pairs for new employees who need to connect to an EC2 instance that requires key pairs.
The following, provided in the whitepages that I’ve included in this answer, is what primarily influenced my conclusion:
Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation returns a plaintext public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric CMK you specify. You can use the data key pair to perform asymmetric cryptography outside of AWS KMS.
GenerateDataKeyPair returns a unique data key pair for each request. The bytes in the keys are not related to the caller or the CMK that is used to encrypt the private key.
Hopefully this helps!