A startup company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI. The company’s engineers rely heavily on SSH access to the instances for troubleshooting. The company’s existing architecture includes the following: • A VPC with private and public subnets, and a NAT gateway. • Site-to-Site VPN for connectivity with the on-premises environment. • EC2 security groups with direct SSH access from the on-premises environment. The company needs to increase security controls around SSH access and provide auditing of commands run by the engineers. Which strategy should a solutions architect use?