AWS Private EC2 Operations Guide Part 4: Deploying to Private EC2 from GitHub Actions — OIDC, SSM Run Command, CodeDeploy
Build a deployment pipeline that puts no port 22 and no AWS access key on the path. OIDC federation removes static credentials, S3 acts as the artifact hub, and either SSM Run Command (simple) or CodeDeploy (zero-downtime) lands the code on the instance.
