By default, the instance is deployed to a public subnet but any ingress traffic is not allowed by the instance's security group. This is needed for the instance's ability to connect to AWS SSM service (egress only).
The user can also deploy the instance to a private subnet but this would require them to manually ensure connectivity to the AWS SSM via NAT gateway, VPC endpoint or other means.
By default, the instance is deployed to a public subnet but any ingress traffic is not allowed by the instance's security group. This is needed for the instance's ability to connect to AWS SSM service (egress only).
The user can also deploy the instance to a private subnet but this would require them to manually ensure connectivity to the AWS SSM via NAT gateway, VPC endpoint or other means.