Today I discovered that SSM now supports interactive shell support like GCP does, and you can even do port forwarding! Good-bye bastion hosts and jump boxes!
$ aws ssm start-session --target i-0deadbeeddeadbeef
Starting session with SessionId: nicolaw@laptop-0123456789abcdef0
sh-4.2$# SSH over Session Manager
Host i-* mi-*
ProxyCommand aws --profile dev ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'$ aws ssm start-session --target i-INSTANCEID
$ sudo vi ~ec2-user/.ssh/authorized_keys
$ exit
$ ssh ec2-user@i-INSTANCEID{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMSessionManager",
"Effect": "Allow",
"Action": [
"iam:GetAccountAuthorizationDetails",
"ssmmessages:OpenDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:CreateControlChannel",
"ssm:UpdateInstanceInformation",
"ssm:TerminateSession",
"ssm:StartSession",
"ssm:ResumeSession",
"ssm:ListInstanceAssociations",
"ssm:ListAssociations",
"ssm:GetConnectionStatus",
"ssm:DescribeSessions",
"ssm:DescribeInstanceProperties",
"s3:GetEncryptionConfiguration",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"kms:Decrypt",
"ec2messages:GetMessages",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
}
]
}