> Can I disable port 22 and remove the SSH client altogether and still use AWS CloudShell on an instance?
Yes, provided you whitelist the IP range for Amazon's Instance Connect service. (They don't call it Cloud Shell.) From [0]:
> We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service.
You have to trawl the giant JSON document that it links to, to find the relevant IP range to permit, where the region matches yours and where you see "service": "EC2_INSTANCE_CONNECT". Then, whitelist the specified IP range (obviously for incoming traffic on TCP port 22).
SSM connects to the instance through the agent (you're logged in as ssm-user) so you don't need to open port 22 inbound, while Instance Connect does the public key magic and connects you directly over SSH.
From EC2 Instance Connect docs: "[...] it generates a one-time-use SSH public key, pushes the key to the instance where it remains for 60 seconds, and connects the user to the instance. You can use basic SSH/SFTP commands with the Instance Connect CLI."
Yes, provided you whitelist the IP range for Amazon's Instance Connect service. (They don't call it Cloud Shell.) From [0]:
> We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service.
You have to trawl the giant JSON document that it links to, to find the relevant IP range to permit, where the region matches yours and where you see "service": "EC2_INSTANCE_CONNECT". Then, whitelist the specified IP range (obviously for incoming traffic on TCP port 22).
[0] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-inst...