the only truly secure server is one that is powered off and stored in a concrete room with no doors or windows
SSH access to your instance is so last year, right now you just fire a new one and drop the old one. But if you insist in having SSH access, better make it safer (specially if your instance is publically exposed).
Username & password is bad, private keys are better but certificates the best. You just need to create a Root Certificate Authority that will be used to sign the access keys, in the signing process you are able to specify the user or hostname used for access and also an expiry date.
Let's create the Root SSH CA (on your secure management server):
$ ssh-keygen -b 4096 -t rsa -f /etc/jokeru-ssh-ca -C "JoKeru SSH CA Key"
# I recommand setting up a strong passphrase for this key
Configure all instances to trust the CA:
# upload /etc/jokeru-ssh-ca.pub to /etc/ssh/ on all the instances
$ echo 'TrustedUserCAKeys /etc/ssh/jokeru-ssh-ca.pub' >> /etc/ssh/sshd_config
$ /etc/init.d/ssh restart
Sign a user key and use it for login (on your secure management server):
# create the user key (no need for passphrase here)
$ ssh-keygen -b 4096 -t rsa -f /home/j/.ssh/id_rsa
# sign the key
$ ssh-keygen -s /etc/jokeru-ssh-ca -n noc -V +1d -I j@wiki /home/j/.ssh/id_rsa.pub
# sets principal to "noc" (target remote user to login), key is valid for 1 day, sets key identifier to "j@wiki" (good for logging/audit}
# view the signed certificate details
$ ssh-keygen -L -f /home/j/.ssh/id_rsa-cert.pub
# connect using the key
$ ssh -i /home/j/.ssh/id_rsa noc@1.2.3.4