Cloudanix Joins AWS ISV Accelerate Program
VM JIT · powered by Cloudanix Agentic JIT

Prod SSH access.
without a bastion, without shared keys, without mystery commands

Your engineers need to SSH into prod. Today that means a jumpbox, a shared ec2-user key, and audit logs that stop at the OS user. VM JIT replaces all of it: request in one click, approve in Slack, run cdx vm connect, and work in the terminal — or VS Code / Cursor Remote — you already love, with every command stamped to a real human.

✓ EC2 · GCE · Azure VM · Lightsail · on-prem · bare-metal ✓ Works with OpenSSH, VS Code Remote, Cursor Remote, JetBrains Gateway ✓ Sessions never leave your VPC
🖥 Request VM access Production
Instance web-prod-1 · ap-south-1
OS user ec2-user
Duration 30 min 1 hr 2 hr
Reason INC-7741 · 5xx spike
~/ — cdx vm connect — 120×28
$ cdx vm connect -i 061e2fc9 -o af10a481 -w 14414595
CDX CLI Version: 0.2.15
Authentication verified
Approval found · valid for 30 min
Outbound tunnel to your VPC opened
Short-lived SSH session minted
Connected to web-prod-1 as ec2-user
→ opening shell · stamped to sujay@cloudanix.com
ec2-user@web-prod-1 · live session 
[ec2-user@web-prod-1 ~]$ sudo journalctl -u nginx -n 5
nginx: 502 upstream connection timed out (api-7)
nginx: 502 upstream connection timed out (api-7)
nginx: 502 upstream connection timed out (api-7)
✓ session active · 24:18 left recording → s3://your-bucket/jit-vm/
signed as sujay@cloudanix.com not ec2-user
The problem

Every team with a fleet of prod VMs owns four compromises.

You can have security, or you can have engineers who can ship a hotfix at 2am — pick one. That's the deal most companies have made, and it stopped working the day your VMs moved into private subnets across half a dozen accounts.

🏰

The bastion tax

The VM sits in a private subnet — as it should. So now you run a bastion. Another box to patch, another set of SSH keys to rotate, another “is the jumpbox up?” standup question. Every incident starts with five minutes of network plumbing before anyone touches a log line.

🔑

The shared-key problem

Your fleet doesn't have 40 OS users. It has ec2-user, ubuntu, and root — and the private key is in a 1Password vault 40 people can open. Rotating it breaks a deploy script nobody remembers owning, so you don't. That key is one laptop away from being on GitHub.

👻

Audit logs that audit nothing

Something went wrong at 3am and ec2-user ran rm -rf /var/lib/.... Which human was that? CloudTrail says “SSH session started.” The shell history says ec2-user. Slack says everyone was asleep. Your forensic story ends at the shared OS user.

📉

No behavior signal to act on

Every shell session looks the same — all signed by ec2-user. There is no baseline for “what Sujay usually runs on a Tuesday,” so there's nothing anomalous to alert on. UEBA on shell activity is only as good as the identity attached to it. Today you have none.

How it works

One request. One approval. One command. Your own terminal.

No browser-based “web shell.” No new SSH client. No breaking the way your engineers already work.

  1. 1

    Ask, don't guess

    Pick a VM and OS user, set a duration, drop in a ticket or incident ID. One click. No SSH keys, no bastion config, no “@devops can you help me get in.”

  2. 2

    Approve where the team lives

    Slack or Teams. Context on who, what, why, and for how long. Read-only sessions can auto-approve — root and sudo on prod escalate. One click, and the clock starts.

  3. 3

    Tunnel opens outbound

    cdx vm connect on the laptop dials outbound to a proxy running in your VPC. The VM stays in its private subnet. No bastion. No inbound firewall hole. Nothing new exposed to the internet.

  4. 4

    Short-lived session. Familiar tools.

    A temporary SSH session is brokered to localhost or attached straight to your client. Use plain ssh, VS Code Remote, Cursor Remote, JetBrains Gateway, mosh, scp or rsync — whatever you already use.

  5. 5

    Every command, stamped to a human

    Even though the VM sees the shared ec2-user account, Cloudanix tags every command and every session recording with the real human's identity. UEBA runs on that stream. Full audit + recording lands in your S3 bucket. Session expires, access revoked, tunnel closed.

Real-world scenarios

Same JIT. Whoever needs to get in.

SREs on-call, contractors patching a CVE, auditors collecting evidence — one flow for everyone who touches your fleet, with the guardrails tuned per case.

scenario · INC-7741 · web-prod-1 · read-only
sujay (SRE) Pager fired — 5xx spike on web-prod-1. Need to tail nginx + check the upstream. Nothing more.
Sujay · iTerm
🛰
tunnel
Cloudanix JIT
signed session
web-prod-1
🖥
scope granted ec2-user · 30m · no-sudo · auto-approved · INC-7741 
[ec2-user@web-prod-1 ~]$ sudo journalctl -u nginx -n 5
nginx: 502 upstream connection timed out (api-7)
nginx: 502 upstream connection timed out (api-7)
[ec2-user@web-prod-1 ~]$ curl -sf http://api-7:8080/healthz || echo DOWN
DOWN
✓ stamped to sujay@cloudanix.com · recording in S3 ⛔ Session closed · 04:12
scenario · api-prod-3 · on-call · sudo
priya (on-call) The payments service on api-prod-3 is wedged. Need to restart it and clear the lock file.
⚠ sudo · prod · irreversible ✓ Approved by oncall-lead · 9s
Priya · ssh
🛠
tunnel
Cloudanix JIT
signed session
api-prod-3
🖥
scope granted ec2-user · sudo · 60m · reason: INC-7741 · linked 
[ec2-user@api-prod-3 ~]$ sudo systemctl restart payments
[ec2-user@api-prod-3 ~]$ sudo rm /var/run/payments.lock
[ec2-user@api-prod-3 ~]$ systemctl is-active payments
active
# service recovered. lock released.
✓ Every command stamped · priya@cloudanix.com ⛔ Session closed · recording → INC-7741
scenario · vendor · CVE patch · 3rd party laptop
alex (vendor) Patching the Apache CVE on the web-prod-* fleet. From my laptop, through the same cdx CLI your team uses. No shared key on my machine.
Alex · Warp
🤝
tunnel
Cloudanix JIT
signed session
web-prod-* fleet
🖥
scope granted ec2-user · sudo · 4h · SOW-204 · auto-expire today 
[ec2-user@web-prod-1 ~]$ sudo yum update -y httpd
→ httpd patched to 2.4.59
[ec2-user@web-prod-1 ~]$ sudo systemctl restart httpd
# fleet patched: web-prod-1, web-prod-2, web-prod-3
✓ Every command stamped · alex@partner-co.com ⛔ Access ends 17:00 · no access tomorrow
scenario · SOC 2 audit · evidence collection
nadia (auditor) Need to capture /etc/ssh/sshd_config, installed-package list, and the running-process list on three prod VMs. Read-only, with a recording.
Nadia · ssh
📋
tunnel
Cloudanix JIT
signed session
prod fleet · 3 VMs
🖥
scope granted ec2-user · read-only · 1h · recorded · SOC2-AUD-22 
[ec2-user@web-prod-1 ~]$ cat /etc/ssh/sshd_config | grep -E "^(Port|PermitRoot)"
Port 22
PermitRootLogin no
[ec2-user@web-prod-1 ~]$ rpm -qa | wc -l
482
✓ Evidence bundle exported · signed ⛔ Session recording → s3://audit-evidence/
works the same with EC2 GCE Azure VM Lightsail DigitalOcean Linode Hetzner OCI Compute VMware …on-prem & bare-metal too
The model

Your engineer sees a shell. You keep the keys.

What the engineer sees
  • A one-click request in the Cloudanix console or Slack
  • Their normal ssh, VS Code Remote, or Cursor Remote, connected to the VM
  • A real shell, with the tools and aliases they expect
  • No keys on their laptop. No bastion to hop through. Nothing to set up again tomorrow.
cdx vm connect
What security keeps
  • The VM in its private subnet, no new ingress, no bastion
  • The real SSH keys — they never leave your vault
  • A session tied to a real human, even when the OS user is shared
  • Every command, every sudo, every file copy — recorded into your S3 bucket, with UEBA running on it
Governance & recordings stay in your cloud.
Session replay

Recordings, not just logs. Scrub any past session like a video.

Every JIT session — every keystroke, every sudo, every file touched — is captured as a replayable recording. Watch it in the Cloudanix console, download it for offline playback, or send a signed URL to your auditor.

recording · INC-7741 · api-prod-3 · 04:12 total 
[00:14] $ sudo journalctl -u payments -n 5
[00:32]   payments: connection pool exhausted
[00:32]   payments: holding lock on /var/run/payments.lock
[01:07] $ curl -sf http://localhost:8080/healthz || echo DOWN
[01:08]   DOWN
[02:21] $ sudo systemctl restart payments
[02:24]   ● payments.service — active (running)
[03:02] $ sudo rm /var/run/payments.lock
[04:11] $ exit
02:14 / 04:12
stamped · priya@cloudanix.com host · api-prod-3 os user · ec2-user sudo · 3 events

  • Watch in the console

    Every session appears as a replayable recording in the Cloudanix console. Jump straight to the moment a sudo ran or a file was touched — no scrolling through thousand-line shell history.

  • Download for offline replay

    Pull the session bundle and play it back locally during an incident review or a post-mortem — no console login required for the people in the war room.

  • 🔗

    Share with a signed URL

    Give a SOC 2 auditor timed access to one specific session. The link expires. The recording stays in your S3 bucket. Nothing copied, nothing leaked.

Client-native

Use the SSH client you already know.

VM JIT brokers a normal SSH session. If it speaks SSH — plain ssh, Remote-SSH from your IDE, mosh, scp, sftp, rsync — it just works. No browser-based web shell to learn, no context-switch for your team.

OpenSSH
VS Code Remote
Cursor Remote
JetBrains Gateway
mosh
scp · sftp · rsync
Any SSH-compatible client
What you get

Everything a compliant, auditable SSH flow requires — none of the plumbing your team hates.

🏰

Zero bastion

Outbound tunnel to a proxy in your own VPC. The VM stays private. No jumpbox to patch, no SSH keys to rotate.

🪪

Identity-stamped commands

Shared OS users stay shared. Every command is still tied to a real human — the one forensics and compliance actually need.

Short-lived sessions

Minted per request, expire on a clock, revoked the moment the work ends. No long-lived private key on a laptop.

Tiered approvals

Auto-approve read-only sessions. Escalate sudo and root on prod to Slack or Teams. Tune the thresholds per team, per fleet.

🎥

Session recording in your S3

Full keystroke + command log with identity, timestamp, exit code, and a replayable recording — written to your S3 bucket. Recordings never leave your account unless you ask.

🧠

UEBA on shell activity

Real identities make real baselines. Alert on the rm that Sujay has never run before, on a Sunday, from a new country.

🧩

Multi-cloud · multi-account

AWS, Azure, GCP and on-prem fleets — across every account, subscription, project and VPC — governed by one JIT flow, one policy engine, one audit stream.

🧑‍💻

Any SSH client, no lock-in

OpenSSH, VS Code Remote, Cursor Remote, JetBrains Gateway, mosh, scp, rsync — engineers keep the tools they love.

🌐

One JIT for humans & agents

Same policy engine, same approval flow, same audit — whether the requester is a person, a CI/CD job, or an AI coding agent over MCP.

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo