All posts
September 15, 20251 min read

AWS CLI SSH Access Through a Secure Proxy with Session Manager

The EC2 instance sat locked behind a VPC, unreachable, until the command line cracked it open. AWS CLI SSH access through a proxy is fast, controlled, and scriptable. It strips away guesswork. You type, you connect, no detours. The AWS CLI becomes more than a cloud control tool—it becomes a secure tunnel into your infrastructure. The core steps are simple. First, you create or identify a Session Manager-enabled EC2 instance to act as the jump host. This jump host doesn’t need a public IP. It c

Free White Paper

SSH Session Recording + AWS Secrets Manager: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The EC2 instance sat locked behind a VPC, unreachable, until the command line cracked it open.

AWS CLI SSH access through a proxy is fast, controlled, and scriptable. It strips away guesswork. You type, you connect, no detours. The AWS CLI becomes more than a cloud control tool—it becomes a secure tunnel into your infrastructure.

The core steps are simple. First, you create or identify a Session Manager-enabled EC2 instance to act as the jump host. This jump host doesn’t need a public IP. It connects to your target instances inside private subnets over AWS’s internal network. Then, you configure your AWS CLI profile to use the SSM session as a proxy command in your SSH config.

The critical command in your SSH configuration looks like this:

Host i-* mi-*
 ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"

With that in place, you can run:

Continue reading? Get the full guide.

SSH Session Recording + AWS Secrets Manager: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
ssh ec2-user@i-0123456789abcdef0

No direct networking from your local machine to the EC2 is required. All traffic flows over the AWS secure channel established by Session Manager. There’s no open SSH port. No exposed surface in the public internet.

This method works across accounts, regions, and complex VPC designs. It plays well with CI pipelines, automation scripts, and incident response workflows. The AWS CLI proxy approach unifies SSH access control with IAM policies. Revoking or granting access no longer requires juggling keys—just update IAM permissions.

For engineers managing regulated environments, this is a way to meet compliance requirements without slowing down work. No bastion hosts to patch. No dangling credentials left behind. Logs and session transcripts can be stored in S3 or CloudWatch Logs for audits without extra effort.

When AWS CLI, SSH, and Session Manager combine, you gain a secure, zero-trust access layer that scales without friction.

You can set this up yourself, or see it live in minutes with a managed setup from hoop.dev—where AWS CLI SSH proxy access just works. No patching. No guesswork. Only secure, instant connectivity.

Do you want me to also generate an SEO-optimized title and meta description so your blog is fully ready to publish and rank? That will maximize your chances of hitting #1 for "AWS CLI SSH Access Proxy."

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts