AWS SYSTEMS MANAGER HAS A FEATURE CALLED SESSIONS MANAGER WITH SESSIONS MANAGER THERE ARE NO OPEN INBOUND PORTS AND NO NEED TO MANAGE BASTION HOSTS OR SSH KEYS
AT THE CORE OF SYSTEMS MANAGER IS A CONCEPTS CALLED DOCUMENTS.
THEY ARE JSON FILES THAT YOU WRITE THAT CONTAINS A LIST OF COMMANDS THAT THAT YOU WANT SYSTEMS MANAGER TO DO FOR YOU.
YOU CAN THEN DELIVER THAT DOCUMENT TO A SERVICE. IN THE PICTURE EXAMPLE TO THE RIGHT YOU DELIVER A DOCUMENT TO A SERVICE CALLED THE RUN COMMAND AND THEN THE RUN COMMAND WILL EXECUTE THAT DOCUMENT ON THE ENTIRE FLEET OF SERVERS THAT YOU DEFINE.