Introducing Systems Manager Just-in-Time (JIT) Node Access

Sep 15
4 min read

By Ananta Cloud Engineering Team | September 16, 2025

Introducing System Manager Just-In-Time (JIT) node access

In modern cloud environments, managing access to compute resources like EC2 instances or on-prem nodes is a critical security concern. Granting long-lived credentials or blanket SSH access increases the risk of unauthorized access and complicates auditability. To address these concerns, AWS has introduced Systems Manager Just-in-Time (JIT) Node Access, a powerful feature that brings ephemeral, auditable, and approval-based access to your hybrid and cloud environments.

In this post, we'll explore what JIT access is, why it matters, and how AWS Systems Manager makes it easy to implement secure, on-demand access workflows to your nodes — without the need for SSH keys or bastion hosts.

What is Just-in-Time (JIT) Access?

Just-in-Time (JIT) access is a security practice where users or services are granted access to a resource only when needed and only for a limited duration. Instead of giving persistent access (e.g., permanent IAM policies or long-lived SSH keys), JIT ensures that access:

Is time-bound
Requires explicit approval
Is centrally auditable
Reduces attack surface by eliminating idle access

Introducing AWS Systems Manager Just-in-Time Node Access

AWS Systems Manager (SSM) now supports JIT access to managed nodes, enabling secure, on-demand session access through Session Manager. With this feature, administrators can:

Enable request-based access to EC2 and on-prem managed instances
Define approval workflows using AWS Identity Center (or IAM Identity Center)
Set access policies, approval timeouts, and session duration
Eliminate the need for bastion hosts or SSH key management

Key Capabilities

Feature	Description
Access Requests	Users request access via the console, API, or CLI.
Approvals	Admins approve/reject requests through AWS Identity Center workflows.
Session Manager Integration	Access is provided using SSM Session Manager — no SSH needed.
Temporary Access	Access is granted only for the approved time window.
Auditing	Full audit trail via CloudTrail and SSM Session logs.

How It Works

Here's a high-level flow of how JIT node access works:

User initiates an access request via the Systems Manager console, CLI, or SDK.
The request is sent to the approver, defined via AWS Identity Center policies.
Approver reviews and approves/rejects the request.
Upon approval, the user can initiate a Session Manager session to the target node.
After the session ends or the time expires, access is revoked automatically.

This workflow ensures access is only available on-demand, when approved, and without ever opening up ports or managing SSH keys.

Prerequisites

To use JIT node access, make sure you have:

Systems Manager Agent (SSM Agent) installed on the node
The node registered as a managed instance
Identity Center (or IAM Identity Center) configured
A permission set that grants access to request and start SSM sessions
Approved policies and session settings defined in Systems Manager

Benefits of JIT Node Access

Enhanced Security

No need to manage SSH keys, bastion hosts, or VPNs
Zero-standing privileges — access only exists when needed

Granular Access Control

Per-user approval workflows
Role-based permissions via Identity Center

Centralized Auditing

Every request, approval, and session is logged
Integrates with CloudTrail, Amazon CloudWatch Logs, and AWS Config

Simplicity and Scale

Works across hybrid environments (EC2, on-prem, edge devices)
Scales with your organization using IAM Identity Center and permission sets

Getting Started

To get started:

Ensure your target nodes are Systems Manager managed instances.
Configure Identity Center with the appropriate user groups and permission sets.
In Systems Manager, navigate to Node Management > Access Requests.
Enable JIT access, define approval settings, and start testing with limited roles.
Monitor access using CloudTrail and Session Manager Logs.

Use Case: Secure Developer Access

Let’s say a developer needs temporary access to a production EC2 instance to investigate a performance issue.

Without JIT:

Dev has standing access to the instance
SSH keys may be shared or mismanaged
No clear audit trail of access

With JIT:

Dev submits access request with justification
SRE approves access for 1 hour
Dev connects using Session Manager
Session is logged, time-limited, and access ends automatically

Resources

AWS Systems Manager JIT Node Access Documentation
Session Manager Overview
AWS Identity Center Guide

Implementation Example

Configure IAM Identity Center Users & Groups

Go to IAM Identity Center → Users, and create a user.
Create a group: DevOpsEngineers
Add Alice to the group.

Create Permission Sets

In IAM Identity Center, create two permission sets:

01 - SSMAccessRequester (for developers like Alice)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:StartSession",
        "ssm:DescribeSessions",
        "ssm:DescribeInstanceInformation",
        "ssm:GetConnectionStatus",
        "ssm:ListDocuments",
        "ssm:SendCommand"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:CreateAccessRequest",
        "ssm:DescribeAccessRequests"
      ],
      "Resource": "*"
    }
  ]
}

Assign this permission set to the DevOpsEngineers group.

02 - SSMAccessApprover (for approvers)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:DescribeAccessRequests",
        "ssm:UpdateAccessRequest"
      ],
      "Resource": "*"
    }
  ]
}

Assign this to your managers or SRE team.

Enable Just-in-Time Access

Go to Systems Manager → Node Management → Access Requests
Click Enable Access Requests
Choose the SSO group allowed to request access (e.g., DevOpsEngineers)
Choose the SSO group allowed to approve access (e.g., SREManagers)
Define session timeout (e.g., 1 hour) and max approval timeout (e.g., 30 mins)
Save settings

Configure EC2 Instance

Launch an EC2 instance (Amazon Linux 2) with:

IAM Role: SSMInstanceRole with AmazonSSMManagedInstanceCore policy
Ensure SSM Agent is running
Confirm instance shows as Managed in Systems Manager → Fleet Manager

Request Access as a Developer

Go to Systems Manager → Node Management → Access Requests
Click Request Access
Select the target instance
Add a justification (e.g., “Investigating service latency”)
Submit the request

Approve Access as a Manager

Go to Access Requests
See pending requests
Review the request from Alice
Approve (or deny) with comments

Start the Session (After Approval)

Once approved, Alice can:

Go to Systems Manager → Session Manager
Click Start Session
Select the approved node
Connect directly in-browser (no SSH keys or open ports needed)

Monitor and Audit

Go to CloudTrail or SSM Session History
Track:
- Who requested access
- Who approved it
- When session started and ended
- Command logs (if configured)

Optional: Enable SSM Session logging to CloudWatch Logs or S3 for full command capture.

Final Thoughts

AWS Systems Manager’s Just-in-Time Node Access is a major step forward in cloud security and operational efficiency. By enforcing time-bound, approver-based access through Session Manager, organizations can reduce their attack surface, improve compliance, and simplify access control — all without compromising productivity.

Start implementing JIT access today and move towards a zero-standing-access future.

Want to implement secure, just-in-time access in your cloud environment?

Let Ananta Cloud help you deploy best-in-class access controls.

Email: hello@anantacloud.com | LinkedIn: @anantacloud | Schedule Meeting