I'm interning at a company which runs in an AWS environment and is starting to look into locking down user privileges, so I'm looking into ways to secure EC2 instances. Specifically, I want to find a way to avoid handing out a keypair that grants unconditional access to ec2-user, which with the default Amazon Linux sudo policy, is essentially root and has the additional downside that there's no audit log (so if someone runs something malicious while SSH'd into an EC2 instance, there's no way to tell who because the Linux user executing commands is always ec2-user).
My first thought was to do this via PAM, similar to how LDAP is integrated into PAM via pam_ldap or somesuch, but I can't find anything that will let me use IAM as an auth backend. I could just manually add users, since there's a very small amount of people that actually need access, but that seems prone to human error as well as being the type of thing that will inevitably become more and more inconsistent over time.
I've searched the web as well with no luck.
What's the best practice here?
I think you are thinking about this the wrong way round, try to extend your domain into IAM for a start so that users are logging into AWS with their domain credentials instead of separate IAM credentials. the most useful aspect of IAM is role based access and policies for AWS users - this doesn't extend into cloud instances so more traditional domain-ness needs to be configured, such as creating a virtual private cloud (VPC - read VPN) and bootstrapping instances so that they are configured specifically for your domain.
bootstrapping cloud instances
as you know when you boot an instance in the cloud, you associate the instance with an image, a network, a security group, a public key and so on, and then you can ssh or rdp into the instance with the private key or password, usually as the user ec2-user or admin for windows - but you can also bootstrap the instance using a service called cloud-init, when launching an instance choose 'advanced options'
Inside the text box you can paste in your cloud-init script, cloud-init is your basic bootstrapper, you can use it to install packages, run scripts, modify the system, add users and groups etc. it's known as 'Userdata' cloud instances look for any user provided data by making a http request on the instances loopback address (which is redirected)
so here is an example of a script that will add some users and other authorised keys
this kind of approach will allow you to develop a way of boot strapping user accounts and permissions (this is the same way the ec2-user is set up). Or you could use cloud-init or cloud formation to domain join the instances on boot.
http://cloudinit.readthedocs.io/en/latest/
hope that helps.