Home / SSH SSO / SSO for SSH on Amazon Linux
Cloud Platform
Local Agent
Gateway SSH Proxy
Zero-Day Shield

SAML/OIDC SSO for SSH on Amazon Linux EC2

Amazon Linux is a product of Amazon Web Services, Inc.

Add SAML/OIDC SSO to SSH on Amazon Linux 2 and Amazon Linux 2023 EC2 instances. Move beyond AWS key pairs and EC2 Instance Connect. Deploy via local agent or gateway SSH proxy. Shield EC2 instances from SSH zero-day vulnerabilities.

Quick Start Guide How It Works
Quick Start

Get Started in Minutes

Install the OnePAM agent with a single command. No packages to download, no repositories to configure.

Step 1 — Install
curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash
Step 2 — Verify
systemctl status onepam-agent
The installer auto-registers the endpoint. Confirm the service is active.
Before OnePAM
AWS key pairs are static SSH keys
# Create key pair in AWS console or CLI aws ec2 create-key-pair --key-name dev-team # Download .pem file, distribute to team # Key persists until manually deleted from IAM
AWS key pairs are tied to IAM, not corporate identity
EC2 Instance Connect gaps
# Instance Connect sends temp keys via metadata # No SAML/OIDC integration # No session recording # AWS-only — doesn't work cross-cloud
Instance Connect lacks enterprise SSO features
Key pair sprawl across accounts
# dev account: 15 key pairs # staging account: 12 key pairs # prod account: 20 key pairs # Who owns which key? Unknown.
Multi-account AWS = fragmented SSH access
After OnePAM
Install OnePAM agent
curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash
Works on Amazon Linux 2 and AL2023. Add to user-data for auto-scaling.
Verify service and registration
systemctl status onepam-agent
The installer auto-registers this endpoint with your organization
SSH with corporate identity
onepam ssh ec2-instance.internal # → Redirected to Okta/Azure AD for SSO + MFA # → Short-lived certificate issued # → Session recorded (beyond CloudTrail)
Use 'onepam ssh' — no AWS key pair files on developer laptops
Overview

Why EC2 Instances Need More Than AWS Key Pairs

Amazon Linux is the default OS for AWS EC2 instances, optimized for the AWS ecosystem. SSH access to Amazon Linux EC2 instances typically uses AWS key pairs — static SSH keys tied to AWS IAM users, not corporate identities. EC2 Instance Connect and AWS Systems Manager Session Manager provide alternatives, but they lack SAML/OIDC integration, cross-cloud consistency, and the session recording capabilities that compliance frameworks require. OnePAM bridges AWS EC2 SSH access with your corporate Identity Provider. The local agent installs on Amazon Linux 2 and AL2023 instances with a single command. The gateway SSH proxy authenticates SSH connections to EC2 instances without requiring agent installation — ideal for auto-scaling groups, spot instances, and Lambda-managed fleets. OnePAM eliminates AWS key pair management, enforces corporate MFA on every SSH session, and provides compliance-ready audit trails that AWS CloudTrail alone cannot deliver.

Local Agent

Install with a single command on Amazon Linux 2 and AL2023 EC2 instances. Deploy via user-data scripts or AMI baking. Auto-scaling compatible.

Gateway SSH Proxy

Run OnePAM gateway in a dedicated VPC/subnet. Proxy SSH to EC2 instances across VPCs, regions, and accounts. No agent needed on target instances. Works with spot instances and auto-scaling.

SSH Security Risks

SSH Security Gaps on Amazon Linux EC2

Without identity-based SSH access, these risks threaten your servers every day.

AWS key pairs are static SSH keys that persist until manually deleted from IAM and removed from instances
EC2 instances in auto-scaling groups may run outdated AMIs with vulnerable OpenSSH versions
AWS key pairs are not tied to corporate identity — they're tied to IAM users, which may not match HR records
EC2 Instance Connect sends temporary SSH keys but lacks SAML/OIDC integration and session recording
Developers often share AWS key pairs or store them in insecure locations (Slack, email, shared drives)
The Challenge

SSH Security Challenges

These are the risks organizations face with traditional SSH authentication.

AWS Key Pair Sprawl

Teams create key pairs per project, per developer, per environment. Hundreds of key pairs exist in IAM with no visibility into which are actively used or abandoned.

No Corporate Identity Link

AWS key pairs authenticate IAM users, not corporate identities. There's no native way to require Okta or Azure AD authentication for SSH to EC2.

Auto-Scaling Challenges

Auto-scaling groups launch instances from AMIs. SSH key management for dynamically created instances is complex — keys must be baked into AMIs or injected via user-data.

Multi-Account Complexity

Organizations with multiple AWS accounts have fragmented SSH key management. Users need different key pairs for different accounts.

Compliance Gaps

AWS CloudTrail logs API calls but not SSH session content. SOC 2 and HIPAA auditors require evidence of who accessed which server and what they did.

Spot Instance Access

Spot instances are ephemeral. Managing SSH access to short-lived instances with static key pairs is operationally wasteful and insecure.

Setup Guide

How OnePAM Adds SSO to SSH on Amazon Linux

Step-by-step guide to deploying identity-based SSH access.

1

Deploy Agent or Gateway in AWS

Install agent on EC2 instances via user-data, or deploy a OnePAM gateway in your VPC.

Agent: Add 'curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash' to your user-data script or AMI build. Works with Launch Templates and auto-scaling groups. Gateway: Deploy OnePAM gateway as an EC2 instance in a dedicated subnet with Security Group rules allowing SSH from the gateway to target instances.
2

Connect Corporate IdP

Link Okta, Azure AD, Google Workspace, or any SAML/OIDC provider — independent of AWS IAM.

Users authenticate via your corporate IdP, not AWS IAM. This separates SSH authentication from cloud platform identity and works across multi-cloud environments.
3

Replace Key Pairs with Policies

Define access policies based on IdP groups, not AWS key pairs. Map teams to EC2 instance groups.

Example: IdP group 'backend-team' gets SSH access to production backend instances. 'data-team' gets access to analytics instances. Access is granted by identity, not by key distribution.
4

SSH with Corporate Credentials

Developers SSH to EC2 instances using their corporate identity. No AWS key pairs needed.

'onepam ssh ec2-instance.internal' triggers IdP authentication. OnePAM issues a short-lived certificate. The instance trusts OnePAM's CA. No key pair files on developer laptops.
5

Audit Beyond CloudTrail

Session-level audit with identity context, MFA status, commands executed, and optional full recording.

Goes beyond CloudTrail's API-level logging. See exactly who accessed which EC2 instance, what they did, and replay the entire session if needed.
Key Benefits

Benefits of SSH SSO on Amazon Linux

What changes when you deploy identity-based SSH access.

Eliminate AWS Key Pair Management

No more creating, distributing, rotating, or revoking AWS key pairs. Corporate identity replaces static keys.

Zero AWS key pairs to manage

Auto-Scaling Compatible

OnePAM certificates work with auto-scaling groups. New instances automatically accept OnePAM-authenticated connections.

Works with dynamic infrastructure

Multi-Account SSH Unification

One identity, one MFA policy, one audit trail across all AWS accounts. No per-account key pair management.

Unified access across AWS accounts

Beyond CloudTrail for SSH

Session-level logging with keystroke recording. See what users did inside SSH sessions, not just that they connected.

Complete session visibility

Spot Instance Ready

Short-lived certificates match the ephemeral nature of spot instances. No key management overhead for temporary compute.

Zero overhead for ephemeral instances

Cross-Cloud Consistency

Same SSH authentication for Amazon Linux, Azure VMs, and GCP instances. One identity layer across all clouds.

Multi-cloud SSH consistency
SSO Features

SSH SSO Capabilities

Every feature needed for enterprise-grade SSH authentication.

SAML 2.0 & OIDC authentication for SSH on Amazon Linux
Supports Amazon Linux 2 and AL2023
AWS Launch Template and user-data deployment
Auto-scaling group compatible
Cross-account SSH access management
Short-lived certificates (1-24 hour TTL)
Works alongside AWS Systems Manager
VPC-aware gateway deployment
IAM role-independent SSH authentication
AWS Security Group-compatible gateway
Security

Zero-Day Protection Features

Enterprise-grade security controls for SSH access.

Gateway shields EC2 sshd from direct exploitation
Protects instances with outdated AMI OpenSSH versions
SSH protocol inspection at the gateway
VPC Security Group-level isolation
Session recording beyond CloudTrail capabilities
Automatic certificate expiration for spot instances
Cross-account security policy enforcement
Integration with AWS CloudWatch and Security Hub
Real-World Scenarios

Amazon Linux SSH SSO Use Cases

Common scenarios where organizations deploy OnePAM SSH SSO.

1
SaaS company replacing AWS key pairs with SSO-authenticated SSH for 500+ EC2 production instances across 5 AWS accounts
2
Data engineering team requiring identity-verified SSH access to EMR cluster nodes and analytics EC2 instances
3
DevOps team deploying OnePAM agent via Launch Template for auto-scaling groups with consistent SSH authentication
4
Financial services firm meeting PCI DSS requirements for SSH session recording on Amazon Linux EC2 instances
5
Startup eliminating AWS key pair sharing between developers with identity-based certificates
6
Enterprise using OnePAM gateway to provide SSH access to EC2 instances in private subnets without bastion host overhead
Frequently Asked Questions

SSO for SSH on Amazon Linux FAQ

Common questions about SSH SSO and zero-day protection.

How does OnePAM differ from EC2 Instance Connect?

EC2 Instance Connect sends temporary SSH public keys via the EC2 instance metadata service. OnePAM provides full SAML/OIDC SSO integration with your corporate IdP, MFA enforcement via your IdP, session recording, and compliance-ready audit trails. OnePAM also works across AWS, Azure, and GCP — Instance Connect is AWS-only.

Can OnePAM work with auto-scaling groups?

Yes. In agent mode, bake the OnePAM agent into your AMI or install via user-data. New instances automatically register and accept OnePAM-authenticated connections. In gateway mode, the gateway discovers instances via AWS API integration and proxies SSH connections without agent installation.

Does OnePAM replace AWS Systems Manager Session Manager?

OnePAM and Session Manager solve different problems. Session Manager provides shell access via the AWS console. OnePAM provides SAML/OIDC-authenticated SSH access with standard SSH clients, session recording, and cross-cloud consistency. They can coexist.

How does OnePAM handle SSH to instances in private subnets?

The OnePAM gateway can be deployed in a public or shared-services subnet with SSH access to private subnets via VPC routing. This replaces traditional bastion hosts with an identity-aware SSH proxy that provides SSO, MFA, and session recording.

Can I deploy OnePAM across multiple AWS accounts?

Yes. OnePAM provides unified SSH access management across all AWS accounts. Users authenticate once via their corporate IdP and can access EC2 instances in any authorized account. Access policies are centralized regardless of AWS account boundaries.

What happens to my existing AWS key pairs?

OnePAM can run alongside existing AWS key pairs during migration. Deploy in audit-only mode first to log all SSH access, then enable SSO authentication, and finally remove key pairs from IAM once migration is complete.
Also Available

SSH SSO for Other Distributions & Use Cases

OnePAM adds identity-based SSH access to any Linux distribution — same approach, same security.

SSO for SSH on Ubuntu Server
Linux Distribution
SSO for SSH on RHEL
Linux Distribution
SSO for SSH on Debian
Linux Distribution
SSO for SSH on CentOS / Rocky / Alma Linux
Linux Distribution
SSO for SSH on SUSE Linux Enterprise
Linux Distribution
SSH Zero-Day Protection
SSH Security

Replace AWS Key Pairs with Corporate SSO

Add SAML/OIDC to SSH on Amazon Linux EC2.

Quick Start Guide All SSH SSO Guides