diff --git a/puppet/zulip_ops/manifests/profile/base.pp b/puppet/zulip_ops/manifests/profile/base.pp
index 750f375374..7059eb4a77 100644
--- a/puppet/zulip_ops/manifests/profile/base.pp
+++ b/puppet/zulip_ops/manifests/profile/base.pp
@@ -62,12 +62,12 @@ class zulip_ops::profile::base {
   user { 'root': }
   zulip_ops::user_dotfiles { 'root':
     home            => '/root',
-    keys            => 'common',
+    keys            => 'internal-read-only-deploy-key',
     authorized_keys => 'common',
   }
 
   zulip_ops::user_dotfiles { 'zulip':
-    keys            => 'common',
+    keys            => 'internal-read-only-deploy-key',
     authorized_keys => 'common',
   }
 
diff --git a/puppet/zulip_ops/manifests/profile/chat_zulip_org.pp b/puppet/zulip_ops/manifests/profile/chat_zulip_org.pp
index fb6db66daf..c7cee0e543 100644
--- a/puppet/zulip_ops/manifests/profile/chat_zulip_org.pp
+++ b/puppet/zulip_ops/manifests/profile/chat_zulip_org.pp
@@ -10,4 +10,11 @@ class zulip_ops::profile::chat_zulip_org inherits zulip_ops::profile::base {
   zulip_ops::firewall_allow { 'http': }
   zulip_ops::firewall_allow { 'https': }
   zulip_ops::firewall_allow { 'smtp': }
+
+  Zulip_Ops::User_Dotfiles['root'] {
+    keys => false,
+  }
+  Zulip_Ops::User_Dotfiles['zulip'] {
+    keys => false,
+  }
 }
diff --git a/puppet/zulip_ops/manifests/profile/prod_app_frontend.pp b/puppet/zulip_ops/manifests/profile/prod_app_frontend.pp
index e18c8caf78..ac9042cb4b 100644
--- a/puppet/zulip_ops/manifests/profile/prod_app_frontend.pp
+++ b/puppet/zulip_ops/manifests/profile/prod_app_frontend.pp
@@ -2,6 +2,13 @@ class zulip_ops::profile::prod_app_frontend inherits zulip_ops::profile::base {
   include zulip_ops::app_frontend
   include zulip::hooks::zulip_notify
 
+  Zulip_Ops::User_Dotfiles['root'] {
+    keys => 'internal-limited-write-deploy-key',
+  }
+  Zulip_Ops::User_Dotfiles['zulip'] {
+    keys => 'internal-limited-write-deploy-key',
+  }
+
   $conntrack_max = zulipconf('application_server', 'conntrack_max', 262144)
   zulip::sysctl { 'conntrack':
     content => template('zulip_ops/sysctl.d/40-conntrack.conf.erb'),
diff --git a/tools/setup/bootstrap-aws-installer b/tools/setup/bootstrap-aws-installer
index a0c4527f9f..8ddba2f5cf 100644
--- a/tools/setup/bootstrap-aws-installer
+++ b/tools/setup/bootstrap-aws-installer
@@ -58,7 +58,7 @@ EOF
 # smuggles the install-ssh-keys binary into this one.
 # install-ssh-keys, in turn, pulls key data from AWS' secret manager.
 INSTALL_SSH_KEYS="inline!puppet/zulip_ops/files/install-ssh-keys"
-"$INSTALL_SSH_KEYS" root prod/ssh/keys/common
+"$INSTALL_SSH_KEYS" root prod/ssh/keys/internal-read-only-deploy-key
 
 # Provide GitHub known_hosts setup; you can verify against fingerprints at
 # https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints