I am setting up a standard AWS VPC structure: a public subnet some private subnets, hosts on each, ELB, etc. Operational network access will be via either an ssh bastion host or an openvpn instance.

Once on the network (bastion or openvpn), admins use ssh to access the individual instances.

From what I can tell all of the docs seem to depend on a single user with sudo rights and a single public ssh key. But is that really best practice? Isn't it much better to have each user access each host under their own name?

So I can deploy accounts and ssh public keys to each server, but that rapidly gets unmanageable.

How do people recommend managing user accounts? I've looked at:

• IAM: It doesn't like like IAM has a method for automatically distributing accounts and ssh keys to VPC instances.
• IAM via LDAP: IAM doesn't have an LDAP API
• LDAP: set up my own LDAP servers (redundant, of course). Bit of a pain to manage, still better than managing on every host, especially as we grow.
• Shared ssh key: rely on the VPN/bastion to track user activities. I don't love it, but...

What do people recommend?

NOTE: I moved this over from accidentally posting in StackOverflow.