EC2 Instance Connect is preferred over a bastion host when you need secure, temporary, and auditable SSH access without maintaining a dedicated server
Access via EC2 Instance Connect is logged in AWS CloudTrail, which records when a user sends an SSH public key to an instance.
Requires the instance to have a public IP or connectivity via Systems Manager Session Manager/VPN.
Not supported on all Linux distributions out of the box (e.g., requires setup on non-Amazon Linux/Ubuntu)
No need to manage or share SSH key pairs.
Access controlled through IAM policies.
Temporary one-time SSH keys enhance security.
Yes, a public IP is required for EC2 Instance Connect if you’re connecting over the internet, because the service needs a routable address to reach the instance via SSH.