> Is there a way to use SSM without using the access keys? I feel using access keys is incredibly not secure because rotating keys is a hassle and people might not do them all the time.
Technically there is, you can use federated login. Might not be very convenient, depending on your identity provider.
A solution I use, while not technically "not using access kys" is storing them in the system credential store with aws-vault [0]. Works on Windows, Linux and Mac. And you can combine this with multi factor auth.
> Also can u restrict access to ssh through ssm to certain ips?
Yes, with an IAM policy. The policy below requires connecting with an MFA and from a specific IP range. It only allows connecting to a specific instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": [
"arn:aws:ec2:eu-west-3:123123123123:instance/i-123123123123",
"arn:aws:ssm:eu-west-3::document/AWS-StartPortForwardingSession",
"arn:aws:ssm:eu-west-3::document/AWS-StartSSHSession"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "1.2.3.4/32"
},
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
Also can u restrict access to ssh through ssm to certain ips?
Maybe I might have missed these, so any help would be appreciated.