A best practice in this area is to use a bastion. A bastion is a special purpose server instance that is designed to be the primary access point from the Internet and acts as a proxy to your other EC2 instances.
We do some similar things, but these are nice instructions for you Windows folks using RDP. You can also layer on monitoring, as most privileged user management tools do. Keep your eye out for tools that proxy the cloud management plane though – I expect that area to grow quite a bit.
I don’t want to promote any products so I am being a bit cagey, but there is stuff out there, and more coming. For the management plane you need to fully proxy the API calls, which essentially means you need a translation layer to intercept the call with local credentials, analyze the request, then reassemble the API call with valid credentials for the cloud service provider. Unless you can convince Amazon/Rackspace/Microsoft to install a custom proxy in front of their entire service for you, and let you manage through that.
It could happen.