The requirements specify SSH access, no internet exposure, and connection through the AWS Management Console. The AWS-native solution designed specifically for this use case is EC2 Instance Connect Endpoint (EICE).
Option B correctly implements this approach. EC2 Instance Connect Endpoint enables secure SSH access to EC2 instances in private subnets without requiring a bastion host, public IP address, or inbound internet access. Developers authenticate through the AWS Management Console, and the connection is established over HTTPS (port 443), which is why the security group must allow inbound traffic on port 443.
The AmazonEC2InstanceConnect IAM managed policy grants developers permission to push temporary SSH keys to the instance, ensuring short-lived, auditable access that aligns with AWS security best practices. This approach significantly reduces attack surface and operational complexity.
Option A and D incorrectly attempt to use AWS Systems Manager for SSH access on port 22. Systems Manager Session Manager does not use SSH and operates over port 443 without opening inbound ports. Option C is incorrect because EC2 Instance Connect Endpoint does not accept inbound connections on port 22; SSH traffic is tunneled through the endpoint using HTTPS.
Therefore, B is the correct solution because it provides secure, console-based SSH access to private EC2 instances with minimal infrastructure and maximum security.
