AWS allows for a no-ingress EC2 instance, that can only be accessed via Systems Manager. This is the recommended best practice. Also read - Identity Aware Proxy on GCP for Compute Engine Access

Here are a couple of simple, yet often ignored, best practices around EC2 instance access.

Access to EC2 instances via Systems Manager Only (Management Access)

  • Management of EC2 instances should be via Systems Manager (SSM).  
  • No Ingress EC2 instances to be created with SSM enabled. 
  • This saves the whole headache of whitelisting allowed IP Addresses to manage EC2 instances

No Public IP on EC2 Instances  (Public/End User Access)

EC2 Instances that need to be public facing should be front ended with a Load Balancer. A load balancer should expose the public IP, instead of the EC2.  

Summary

IaaS based Compute is the most used service alongside Storage.  Protecting Management Level access as well as public access is key to these instances is key to ensuring a secure AWS environment.