An AWS-Native Pattern for Audited, Just-in-Time SSH Access Using Short-Lived Certificates
DOI:
https://doi.org/10.63282/3050-9246.IJETCSIT-V6I4P114Keywords:
AWS, SSH, certificates, Just-In-Time access, GitHub Actions, EventBridge Scheduler, Systems Manager, ServiceNow, Security, ComplianceAbstract
Traditional SSH access in multi-account AWS environments relies on long-lived keys, bastion hosts, or static IAM mappings, patterns that are costly, difficult to audit, and misaligned with just-in-time (JIT) and zero-standing-privilege principles. This whitepaper introduces an AWS-native approach using short-lived SSH certificates issued by a central SSH CA stored in AWS Secrets Manager, combined with GitHub Actions OIDC federation, OpenSSH user certificates, hardened EC2 access via AWS Systems Manager, and EventBridge-driven one-time network revocation. It also supports optional ServiceNow validation for production governance. The result is a low-cost, reusable framework delivering auditable, short-lived EC2 SSH access across multiple AWS accounts. The paper also outlines architecture, implementation, operational considerations, and comparisons with commercial JIT and AWS SSM Session Manager [9] solutions
Downloads
References
[1] Smallstep. SSH Certificate Login Tutorial. [Online].Available: https://smallstep.com/docs/tutorials/ssh-certificate-login/
[2] Smallstep. If You’re Not Using SSH Certificates You’re Doing SSH Wrong. [Online].Available: https://smallstep.com/blog/use-ssh-certificates/
[3] Smallstep SSH How it Works [Online]. November, 2025.Available: https://smallstep.com/docs/ssh/how-it-works/
[4] H. McLaren. How to Configure SSH Certificate-Based Authentication. [Online]. April, 2022.Available: https://goteleport.com/blog/how-to-configure-ssh-certificate-based-authentication/
[5] SecureW2. How Does SSH Certificate Authentication Work? [Online]. September, 2024.Available: https://www.securew2.com/blog/how-does-ssh-certificate-authentication-work
[6] Infisical. SSH Keys Don’t Scale. SSH Certificates Do. [Online]. April, 2025.Available: https://infisical.com/blog/ssh-keys-dont-scale
[7] CyberArk. Just in Time Access with Short-Lived SSH Certificates. [Online]. Available: https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/jit-access-ssh-certificate.htm
[8] CyberArk. What is Just-In-Time Access? [Online]Available: https://www.cyberark.com/what-is/just-in-time-access/
[9] AWS. AWS Systems Manager Session Manager. [User Guide].Available: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
[10] AWS. Amazon EventBridge Scheduler, Schedule Types and One-Time Schedules. [User Guide].Available: https://docs.aws.amazon.com/scheduler/latest/UserGuide/schedule-types.html
[11] M.Sachin. One-Time Schedules Using AWS EventBridge Scheduler. [Online]. April, 2023.Available: https://mathewsachin.github.io/blog/2023/04/21/aws-scheduler-one-time.html
[12] AWS Serverless Land. Remove One-Time EventBridge Schedules After They Run. [Online]
Available: https://serverlessland.com/patterns/eventbridge-schedule-remove-one-time-schedules
[13] CyberArk. Connect through PSM for SSH. [Product Documentation].Available: https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/psso-pmsp.htm
