But the AWS SSM agent doesn't listen on the network [0]. The connection is initiated by the agent towards the cloud API, so any commands that come in aren't new connections established over a possibly insecure network.
Of course, if the agent's verification of who it's talking to is as good as in the case of Azure, all bets are off.
---
[0] I've just checked this on an Ubuntu EC2 instance. The SSM agent is running, but it doesn't listen on any interface. No custom configuration was done it.
By default, SSM Agent is preinstalled on instances created from the following Amazon Machine Images (AMIs):
Amazon Linux
Amazon Linux 2
Amazon Linux 2 ECS-Optimized Base AMIs
macOS 10.14.x (Mojave) and 10.15.x (Catalina)
Ubuntu Server 16.04, 18.04, and 20.04
Windows Server 2008-2012 R2 AMIs published in November 2016 or later
Windows Server 2016 and 2019