[NikolaeVarius]

Its fairly trivial to lock down AWS via a require MFA policy

[jcims]

I'm talking about on the host, so if you mess up your IAM policy there is still an authorization layer on the host to get privileged access.

[jbergknoff]

As far as I know, SSH over SSM doesn't do anything regarding user management. It just establishes an SSH connection. Management of users on the host, authorized SSH keys, etc. is totally out of scope for SSM.

So if you already have access control setup on your host, then SSM doesn't do anything to undermine it. If you don't have it, you'll still need to add it.