If you can't be bothered to implement cert-based SSH...

secure-ssh-to-aws-instance.sh

#!/usr/bin/env bash
ip_address=$(
    aws ec2 describe-instances --instance-id $instance_id | \
    jq -r ".Reservations[] | .Instances[] | select(.InstanceId==\"$instance_id\") | .PublicIpAddress"
)

if ! grep $ip_address ~/.ssh/known_hosts >/dev/null; then
    # Print the SSH fingerprints for jumpbox
    echo "Valid server key fingerprints:"
    aws ec2 get-console-output --instance-id $instance_id | \
        jq -r '.Output' | \
        awk '/-----BEGIN SSH HOST KEY FINGERPRINTS-----/{flag=1; next} /-----END SSH HOST KEY FINGERPRINTS-----/{flag=0} flag' | \
        awk '{print $6}'

    echo -e "\nUse one of the above lines to verify the remote's identity\n"
fi

ssh ubuntu@$ip_address

Sample output:

$ instance_id=i-060c1d1da13ca ./secure-ssh-to-aws-instansce.sh
Valid server key fingerprints:
SHA256:8Krqwcoto2ewAFgLQD8zjBfRhm7DCDoM1gXQbpQjLrc
SHA256:oCQtxhE1AqwLPMfkE6wfPB183N/0Jj1PpDElDprGpHI
SHA256:L3fiT/WEWRc0DarJlOA6N+mZN9/WK9dSgb8ff6Jid94
SHA256:lCFA8B3r55z/QUPCpXPBJIzA+VYV7rDi+OFHAJjaI9Q

Use one of the above lines to verify the remote's identity

The authenticity of host '175.41.161.140 (175.41.161.140)' can't be established.
ECDSA key fingerprint is SHA256:oCQtxhE1AqwLPMfkE6wfPB183N/0Jj1PpDElDprGpHI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? SHA256:oCQtxhE1AqwLPMfkE6wfPB183N/0Jj1PpDElDprGpHI
Warning: Permanently added '175.41.161.140' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1029-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
...