I prefer AWS SSM or something like teleport which offloads user management to AWS or an Idp. The CA still needs management and special handling and policies if you want to be compliant.
Annoyingly SSM still requires managing ssh keys and users somehow, it really only takes care of the network layer. I have been thinking of combining SSM with EC2 Instance Connect to deal with that issue, but haven't gotten around to actually implement that.
> Annoyingly SSM still requires managing ssh keys and users somehow
No, doesn't require managing ssh keys. SSM can work with SSH keys but it's not required. The downside I found is that all users connect with the same uid/gid which does not work great for bastion hosts where user profiles are required (e.g. connect to EKS API). You could work your way around this with documents permissions per user, but it's not great.
To be more specific, ssh keys (and their management) are required for ssh access, something which I took as a given considering the thread. Sure, the rest of SSM is not reliant on ssh or ssh keys in any other way