IAM + SSM: The DevOps Way to EC2 Access Without SSH
Managing EC2 access across AWS accounts can get messy. I share how we replaced SSH & PAM with AWS Systems Manager (SSM) & IAM for secure, scalable access.
Published Apr 25, 2025
For many teams operating across multiple AWS accounts and environments (Dev, QA, Prod), managing secure EC2 access becomes a growing challenge. Over the years, I’ve seen SSH key sprawl, open ports, manual access audits, and misaligned permissions become operational pain points.
In my latest article, I share how I solved this at scale—eliminating traditional SSH and external PAM tools altogether—by adopting a group-based IAM model and leveraging AWS Systems Manager (SSM) Session Manager.
🔍 What I Implemented:
- 🎯 Functional IAM groups (Dev, QA, TechOps...) mapped to minimal, purpose-driven policies
- 🔐 SSM Session Manager for EC2 access — no SSH, no open port 22
- 📜 Sessions are encrypted, fully auditable, and logged to CloudWatch/S3
- 🚫 No need for SSH key management or third-party PAM solutions
- ⚙️ Scales to hundreds of users and instances with ease
This approach reduced our operational overhead, tightened our security posture, and made access management simple and reviewable—critical when working across multiple teams and regulated environments.
🧠 Key Benefits:
- Strong alignment with least privilege access principles
- Centralized audit logs with no manual tracking
- Fully cloud-native
- Easier onboarding/offboarding across teams
If you're an AWS engineer, DevOps lead, or security practitioner looking to simplify EC2 access across environments, this article might save you countless hours and potential security risks.
🔗 Read the full breakdown and sample IAM policy here:
👉 https://medium.com/@hackerway/how-i-scaled-secure-ec2-access-across-multiple-aws-accounts-without-ssh-or-pam-df6417479e5a
👉 https://medium.com/@hackerway/how-i-scaled-secure-ec2-access-across-multiple-aws-accounts-without-ssh-or-pam-df6417479e5a