The correct option is Install AWS Systems Manager Agent on all instances with an IAM role for Systems Manager, onboard contractors with permission sets in AWS IAM Identity Center for console access, and use Systems Manager Session Manager for shell access so no inbound ports are opened.

This approach centralizes identity and access management and removes the need to open inbound ports. Systems Manager Agent with an appropriate role lets Session Manager provide interactive shell access without SSH. Session Manager integrates with CloudWatch Logs and S3 for full activity auditing and with AWS KMS for encryption. AWS IAM Identity Center provides centralized permission sets that work across accounts in AWS Organizations and it simplifies contractor onboarding and lifecycle management while supporting least privilege.

Deploy a hardened bastion host in a public subnet, restrict SSH to known contractor CIDR ranges with security groups, issue IAM user credentials for console sign-in, and distribute SSH key pairs for hopping to the private instances via the bastion is less secure because it creates a host that is exposed to the internet and it requires managing SSH keys and long lived credentials which increases the attack surface and operational overhead.

Install AWS Systems Manager Agent on each instance with an instance profile, create short-lived IAM users in every account for contractors to reach the console, and require Systems Manager Session Manager for instance access improves access compared to SSH but it fragments identity management by using per account IAM users. This makes auditing and permission lifecycle harder than using centralized permission sets with IAM Identity Center.

Establish AWS Client VPN from the contractors' office network, create IAM users in each account for console access, and allow SSH from the VPN to the private EC2 instances using security groups adds network complexity and still relies on SSH which expands the attack surface. It also depends on account scoped IAM users which are harder to govern and audit at scale.

Full AWS Practitioner Certification Question