I am curious about how do you do it, keeping in mind<p>- different teams having access to only those boxes which belong to that team<p>- providing ssh access without hand smashing the server.<p>- revoking ssh access for someone as and when required.<p>Would also be interested to know of possible ways to do the above.
Use aws identities and policies to control ssh access to ec2 instances <a href="https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/" rel="nofollow">https://aws.amazon.com/about-aws/whats-new/2019/06/introduci...</a><p>Has some quirks but might be useful for companies using ec2 instances.
"gcloud compute ssh instance-name" and "kubectl exec ..." with IAM<p>I am still surprised that AWS has not created the same experience as GCP. the instance connect from the co-comment is an improvement, but requires install on each server and client, plus an extra step when you want to connect.
Use ldap as your centralised auth, add a schema extension for ssh public keys, configure sshd/pam/nss to use ldap (and the keys contained therein) for users/auth.<p>Use groups or a host attribute in ldap to manage access to specific servers or groups of servers.<p>Bonus: you can manage sudo access from ldap too.
Have you looked at Netflix's BLESS: <a href="https://github.com/Netflix/bless" rel="nofollow">https://github.com/Netflix/bless</a>