When Session Manager is not enough for privileged access
AWS SSM Session Manager is a sensible default for EC2 shell access. Wardengate is for teams that outgrow AWS-only scope and need cross-cloud brokering, RDP, and audit evidence auditors can sign off on.
to first brokered session
Helm or Compose deploy — not a six-month agent rollout
gateway for every protocol
SSH, RDP, databases, and Kubernetes through one policy engine
audit export bundles
Evidence your GRC team can hand to auditors without reconstruction
control plane option
Run on your infrastructure — no mandatory SaaS lock-in
Cross-cloud gateway vs. AWS-native sessions
Session Manager solves a slice of the problem well. Wardengate solves the whole privileged access program — especially when auditors ask what happened inside the session.
| Capability | Wardengate | AWS SSM Session Manager |
|---|---|---|
| Scope | AWS, Azure, GCP, on-prem, and hybrid — one control plane | AWS EC2 and selected AWS services only |
| Protocol support | SSH, RDP, VNC, databases, Kubernetes | Primarily shell access via SSM agent on EC2 |
| Session evidence | Keystroke, screen, and file capture with signed exports | Session logs and optional S3 logging — limited playback |
| Approval workflows | JIT access with named approvers and ticket integration | IAM policies and tags — no native approval routing |
| Third-party access | Vendor identities, time-bound access, full attribution | Requires IAM users/roles — awkward for external parties |
| Compliance packaging | Framework-mapped exports for SOC 2, PCI, HIPAA | CloudTrail and S3 artifacts — manual GRC correlation |
When teams switch
Signs you have outgrown Session Manager
- SSM works for AWS Linux boxes but RDP and database admin paths still bypass it.
- You operate across cloud and on-prem and need one audit story, not per-cloud silos.
- Auditors want session playback, not just CloudTrail entries showing a session started.
- Vendor and contractor access cannot be cleanly modeled with IAM alone.
Frequently asked questions
- Is Session Manager good enough for SOC 2?
- For some AWS-only estates, SSM plus CloudTrail may satisfy basic logging controls. Most teams hit gaps on playback, cross-cloud coverage, vendor access, and packaging evidence for CC6/CC7 without manual work each audit cycle.
- Can Wardengate work alongside SSM?
- Yes. Many teams keep SSM for break-glass on EC2 and route everyday privileged access through Wardengate for consistent policy, recording, and exports across their full estate.
AWS-native but audit-hungry?
Unify privileged access across your full estate
See how teams keep SSM for break-glass and standardize everyday admin paths on one gateway with exports your GRC team recognizes.