An hardened servers should be used as a bastion host. This server will provide the following functions:
- Act as a secure gateway into the cloud environment
- You should configure all other server to accept connections from this server only
- From bastion you can lunch tasks that will perform further actions on the other cloud servers
How to run ssh or scp command over ssh that is initiated by the client and need to be executed from a bastion host on other cloud server.
This relatively long script written in python that uses paramiko module demonstrates the idea. It can be definitely extended and improved but you get the idea I hope :).