Comment by mdaniel

> necessities, like SSH access.

SSM for life. Fun fact, one can also register non-AWS assets as SSM targets, so I could imagine a world in which it makes sense to create an AWS account, wire up federated auth, just to dispense with the hoopjumpery of SSH attack surface and Internet exposure

The break-glass is always a consideration, so it's no panacea but I still hope one day the other clouds adopt the SSM protocol same as they did with S3Api

I believe a lot of folks have had good experiences with Wireguard and similar, but thus far I haven't had hand-to-hand combat with it to comment. We use Teleport for its more fine-grained access and auditing, but I've had enough onoz with it to not recommend it in the same way as SSM