I have a terraform script which creates EC2 (bastion host) and emits out .pem file.
Is it a best practice to check-in .pem file as part of source control?
If an employee leaves the company (say access to AWS is removed via SSO) and still has .pem file in his possession, will he be able to connect to the EC2 using just that file?
Solution
Do not commit .pem files to version control.
Use AWS Systems Manager for instance access instead of traditional SSH, wherever possible.
Regularly audit and remove stale SSH keys from your EC2 instances, particularly when employees leave the company.