If you're hosting on a public cloud, you can use a feature like AWS Session Manager to connect "through the backdoor" (via the guest's private communication with the hypervisor) without actually opening the ssh port to the world. This should fully address the client's concerns. None of my servers have ssh exposed at all.

▲

lxgr 5 hours ago | parent [-]

How does the nature of remote access address the legal concern (presumably) about there being remote access in general?

▲

electroly 5 hours ago | parent [-]

That isn't my presumption about nature of the concern. In OP's other comment they specify that the client is specifically worried about the open port.

	▲	lxgr 5 hours ago \| parent [-]
		Well, if you allow remote access, you conceptually allow some kind of logical inbound connection, no matter how it's technically realized.