Introduction

Managing secure access to servers is one of the biggest challenges in cloud environments. Traditionally, administrators use SSH keys, bastion hosts, or VPN access to connect to servers. These methods can introduce security risks, key management issues, and unnecessary permanent access.

Just-In-Time (JIT) Node Access solves this problem by providing temporary, controlled access to servers only when required.

Using AWS Systems Manager, administrators can securely connect to instances without opening SSH ports or managing SSH keys.

This guide explains how to implement Just-In-Time node access using AWS Systems Manager Session Manager.

What is Just-In-Time Node Access?

Just-In-Time access means:

Users request access only when needed
Access is granted temporarily
All activities are logged and audited
No permanent SSH access is required

Benefits:

✔ Improved security
✔ No open SSH ports (port 22 closed)
✔ Centralized access control
✔ Full session logging
✔ Temporary permissions

Key components used:

AWS Systems Manager
AWS Session Manager
Amazon EC2
AWS Identity and Access Management

Workflow:

User requests temporary access.
IAM grants limited access.
User connects via Session Manager.
Access automatically expires.

Prerequisites

Before implementing JIT access, ensure the following:

✔ An AWS account
✔ An EC2 instance running
✔ SSM Agent installed
✔ IAM role attached to EC2 instance

Step 1 — Launch an EC2 Instance

Log in to **Amazon EC2 console.
Click Launch Instance.
Choose an AMI (e.g., Amazon Linux 2).
Select instance type (e.g., t2.micro).
Configure security group:
- Do NOT open SSH (port 22).
Launch the instance.

Step 2 — Attach IAM Role for Systems Manager

The instance must have permission to communicate with Systems Manager.

Steps:

Go to AWS Identity and Access Management.
Click Roles → Create Role.
Select EC2 service.
Attach the policy:

AmazonSSMManagedInstanceCore

Create the role.
Attach the role to the EC2 instance.

Now the instance can communicate with Systems Manager.

Step 3 — Verify Instance in Systems Manager

Steps:

Open **AWS Systems Manager console.
Navigate to:Node Management → Managed Instances

Confirm your EC2 instance appears in the list.

If it appears, the SSM agent is working correctly.

Step 4 — Configure Just-In-Time Access Using IAM

Create a policy that allows temporary session access.

Example IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:StartSession",
        "ssm:TerminateSession",
        "ssm:DescribeSessions"
      ],
      "Resource": "*"
    }
  ]
}

Attach this policy to users who need temporary access.

For stronger security:

Use IAM Identity Center
Use temporary role assumption
Set session duration limits

Step 5 — Connect Using Session Manager

Steps:

Open Systems Manager Console.
Navigate to:Session Manager → Start Session

Select the EC2 instance.
Click Start Session.

A browser-based terminal will open.

No SSH keys required.

Step 6 — Enable Session Logging (Recommended)

For auditing purposes, enable session logging.

You can store logs in:

Amazon CloudWatch
Amazon S3

Steps:

Open Session Manager Preferences.
Enable Session Logging.
Select S3 or CloudWatch.

Now all user sessions are recorded.

Security Best Practices

✔ Use IAM roles instead of SSH keys
✔ Enable session logging
✔ Use multi-factor authentication (MFA)
✔ Use temporary IAM roles for JIT access
✔ Restrict session duration

Advantages of JIT Access with Systems Manager

Feature	Benefit
No SSH ports	Reduced attack surface
Temporary access	Improved security
Session logging	Full auditing
No bastion hosts	Simplified architecture
Browser access	Easy management

Using AWS Systems Manager Session Manager, organizations can implement secure Just-In-Time access to EC2 instances without opening SSH ports or managing keys.

This approach: