Use AWS Systems Manager Session Manager:
AWS Systems Manager Session Manager provides a secure way to access Amazon EC2 instances without requiring SSH keys, opening inbound ports, or maintaining bastion hosts.
This complies with the company's requirement of not managing SSH keys or maintaining bastion hosts.
Configure Session Manager Logging to CloudWatch:
In the Systems Manager Console, configure Session Manager to upload session logs to Amazon CloudWatch Logs.
This ensures all session activity logs are recorded and stored securely.
Encrypt Logs in CloudWatch:
Use an AWS Key Management Service (AWS KMS) key to encrypt the logs in CloudWatch Logs. Ensure that the CloudWatch log group is configured to use an encrypted KMS key.
This meets the requirement to encrypt logs.
Monitor Logs for Compliance and Security:
Monitor the CloudWatch Logs to ensure proper access and record all activity for compliance purposes.
AWS Systems Manager Session Manager Documentation
Encrypting CloudWatch Logs with KMS
AWS Best Practices for Accessing EC2 Instances
Submit