EC2: Multiple SSH Keys for an Instance

Just to expand on @steenhulthin answer.

I think it's best to think of the EC2 generated key pair as the master key into the instance and it's optional. It's not a system for managing user level access.

I beleive best practice is as follows

Do I need to remotely login to the instance?

YES: Create EC2 instance with a key pair

I believe the best practice is to create a EC2 key pair per instance. If a key pair get's compromised exposure is limited to just that instance. However a key pair per instance may be difficult to manage, if this is the case find some logical way to group your instances and use a key pair per group. E.g. group by role or role and application.

NO: Create EC2 instance with no key pair.

This is obviously more secure as you have no key to lose/compromised. The instance is inherently not accessible through conventional methods. Following this method requires instance management/config to be fully automated (Chef, Puppet etc.) and is a more costly option. Overall how much more secure this makes the instance is up for debate and depends on how your automation is configured.

What's the best practices for managing your EC2 key pairs? This is the one I don't have a good answer for at the moment.

Do you need to allow humans to remotely access the instances? As suggested by @steenhulthin either create local user accounts per user or use some centralised Athentication and Authorisation.

In addition you can also maintain a dedicated instance for remote management access (SSH or RDP), only open this up for public access (IP address wise) and restrict SSH and/or RDP on all other instances to the management station.

You use ssh-agent:

ssh-agent
ssh-add
ssh -A remote-machine

For easier use, add

Host remote-machine
ForwardAgent yes

to your ~/.ssh/config