> Is there a way to use SSM without using the access keys? I feel using access keys is incredibly not secure because rotating keys is a hassle and people might not do them all the time.

Technically there is, you can use federated login. Might not be very convenient, depending on your identity provider.

A solution I use, while not technically "not using access kys" is storing them in the system credential store with aws-vault [0]. Works on Windows, Linux and Mac. And you can combine this with multi factor auth.

> Also can u restrict access to ssh through ssm to certain ips?

Yes, with an IAM policy. The policy below requires connecting with an MFA and from a specific IP range. It only allows connecting to a specific instance.

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "ssm:StartSession",
        "Resource": [
          "arn:aws:ec2:eu-west-3:123123123123:instance/i-123123123123",
          "arn:aws:ssm:eu-west-3::document/AWS-StartPortForwardingSession",
          "arn:aws:ssm:eu-west-3::document/AWS-StartSSHSession"
        ],
        "Condition": {
          "IpAddress": {
            "aws:SourceIp": "1.2.3.4/32"
          },
          "BoolIfExists": {
            "aws:MultiFactorAuthPresent": "true"
          }
        }
      }
    ]
  }

[0] AWS Vault: https://github.com/99designs/aws-vault/