When you allow SSH access to your server, the user sshing can do many things. You can restrict their access with a tool like sudo or chroot, but at the end of the day, the user has access to the system and may be able to find a way to escalate their privileges. It’d be simpler if no one could login to the server at all, but how would you configure the server to actually be useful?
With AWS and the AWS Systems Manager, you can install an agent (open source, under the Apache License) on your ec2 servers (perhaps via userdata at boot time) and run all your commands via this AWS managed service. That means you never have to have an ssh server running.
What about limiting what users can do? You have the full power of IAM to limit who can do what to which servers. Here’s how you can use tagging to limit on which servers someone can run a command.
What about installing applications? Uou can use userdata or the ec2 run command.
What about logfiles of those applications? You can send your logfiles up to a log aggregation service like cloudwatch logs or splunk. It’ll be easier to manage logfiles centrally anyway. If you use cloudwatch logs, don’t forget to move your logfiles to s3 and then expire them, otherwise you’ll pay more than you should.
What about system updates (patches, etc)? There’s a patch manager.
What about troubleshooting? You can use the ec2 run command to execute arbitrary commands and get the response back.
If you lock down the ec2 run command, then suddenly you have a lot less attack surface. No one can login to your AWS instances and nose around or run arbitrary commands to see what software is present or what security measures are in place.