[jcims]

IAM is easy to mess up.

Would be interesting to lock down the session manager agent (if possible) so that the only way to privileged access is through sudo-like priv esc that uses 2fa.

[jon918]

You can do this but it depends on your setup as to how. If you have AWS IAM users (not federated), then you can use MFA conditions in your policies as documented here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

For federation you need to rely on the config in whatever your identity provider is, like Okta.

[NikolaeVarius]

Its fairly trivial to lock down AWS via a require MFA policy

[jcims]

I'm talking about on the host, so if you mess up your IAM policy there is still an authorization layer on the host to get privileged access.

[jbergknoff]

As far as I know, SSH over SSM doesn't do anything regarding user management. It just establishes an SSH connection. Management of users on the host, authorized SSH keys, etc. is totally out of scope for SSM.

So if you already have access control setup on your host, then SSM doesn't do anything to undermine it. If you don't have it, you'll still need to add it.