Selecione suas preferências de cookies

Usamos cookies essenciais e ferramentas semelhantes que são necessárias para fornecer nosso site e serviços. Usamos cookies de desempenho para coletar estatísticas anônimas, para que possamos entender como os clientes usam nosso site e fazer as devidas melhorias. Cookies essenciais não podem ser desativados, mas você pode clicar em “Personalizar” ou “Recusar” para recusar cookies de desempenho.

Se você concordar, a AWS e terceiros aprovados também usarão cookies para fornecer recursos úteis do site, lembrar suas preferências e exibir conteúdo relevante, incluindo publicidade relevante. Para aceitar ou recusar todos os cookies não essenciais, clique em “Aceitar” ou “Recusar”. Para fazer escolhas mais detalhadas, clique em “Personalizar”.

Preferências
Entre em contato conosco
Feedback
AWS Documentation
Crie uma conta da AWS

Rotate SSH keys

PDF
Modo de foco
Rotate SSH keys - AWS Transfer Family
Esta página não foi traduzida para seu idioma. Solicitar tradução

For security, we recommend the best practice of rotating your SSH keys. Usually, this rotation is specified as a part of a security policy and is implemented in some automated fashion. Depending upon the level of security, for a highly sensitive communication, an SSH key pair might be used only once. Doing this eliminates any risk due to stored keys. However, it is much more common to store SSH credentials for a period of time and set an interval that doesn't place undue burden on users. A time interval of three months is common.

There are two methods used to perform SSH key rotation:

  • On the console, you can upload a new SSH public key and delete an existing SSH public key.

  • Using the API, you can update existing users by using the DeleteSshPublicKey API to delete a user's Secure Shell (SSH) public key and the ImportSshPublicKey API to add a new Secure Shell (SSH) public key to the user's account.

Console
To perform a key rotation in the console

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. Navigate to the Servers page.

  3. Choose the identifier in the Server ID column to see the Server details page.

  4. Under Users, select the check box of the user whose SSH public key that you want to rotate, then choose Actions, and then choose Add key to see the Add key page.

    or

    Choose the username to see the User details page, and then choose Add SSH public key to see the Add key page.

  5. Enter the new SSH public key and choose Add key.

    Important

    The format of the SSH public key depends on the type of key you generated.

    • For RSA keys, the format is ssh-rsa string.

    • For ED25519 keys, the format is ssh-ed25519 string.

    • For ECDSA keys, the key begins with ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521, depending on the size of the key you generated. The beginning string is then followed by string, similar to the other key types.

    You are returned to the User details page, and the new SSH public key that you just entered appears in the SSH public keys section.

  6. Select the check box of the old you key that you want to delete and then choose Delete.

  7. Confirm the deletion operation by entering the word delete, and then choose Delete.

API
To perform a key rotation using the API

  1. On macOS, Linux, or Unix operating systems, open a command terminal.

  2. Retrieve the SSH key that you want to delete by entering the following command. To use this command, replace serverID with the server ID for your Transfer Family server, and replace username with your username.

    aws transfer describe-user --server-id='serverID' --user-name='username'

    The command returns details about the user. Copy the contents of the "SshPublicKeyId": field. You will need to enter this value later in this procedure. 

    "SshPublicKeys": [ { "SshPublicKeyBody": "public-key", "SshPublicKeyId": "keyID",
   "DateImported": 1621969331.072 } ],

  3. Next, import a new SSH key for your user. At the prompt, enter the following command. To use this command, replace serverID with the server ID for your Transfer Family server, replace username with your username, and replace public-key with the fingerprint of your new public key. 

    aws transfer import-ssh-public-key --server-id='serverID' --user-name='username'
   --ssh-public-key-body='public-key'

    If the command is successful, no output is returned.

  4. Finally, delete the old key by running the following command. To use this command, replace serverID with the server ID for your Transfer Family server, replace username with your username, and replace keyID-from-step-2 with the key ID value that you copied in step 2 of this procedure 

    aws transfer delete-ssh-public-key --server-id='serverID' --user-name='username'
   --ssh-public-key-id='keyID-from-step-2'

  5. (Optional) To confirm that the old key no longer exists, repeat step 2.

anchoranchor
To perform a key rotation in the console

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. Navigate to the Servers page.

  3. Choose the identifier in the Server ID column to see the Server details page.

  4. Under Users, select the check box of the user whose SSH public key that you want to rotate, then choose Actions, and then choose Add key to see the Add key page.

    or

    Choose the username to see the User details page, and then choose Add SSH public key to see the Add key page.

  5. Enter the new SSH public key and choose Add key.

    Important

    The format of the SSH public key depends on the type of key you generated.

    • For RSA keys, the format is ssh-rsa string.

    • For ED25519 keys, the format is ssh-ed25519 string.

    • For ECDSA keys, the key begins with ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521, depending on the size of the key you generated. The beginning string is then followed by string, similar to the other key types.

    You are returned to the User details page, and the new SSH public key that you just entered appears in the SSH public keys section.

  6. Select the check box of the old you key that you want to delete and then choose Delete.

  7. Confirm the deletion operation by entering the word delete, and then choose Delete.

Related resources

AWS Transfer Family API Reference
AWS CLI commands for AWS Transfer Family
SDKs & Tools 

Related resources

AWS Transfer Family API Reference
AWS CLI commands for AWS Transfer Family
SDKs & Tools 
PrivacidadeTermos do sitePreferências de cookies
© 2025, Amazon Web Services, Inc. ou suas afiliadas. Todos os direitos reservados.