High-level EC2 Instance builder following AWS security best practices. **Default Security Settings:** - Instance type = t3.micro (cost-effective for dev/test) - Detailed monitoring = disabled (opt-in via monitoring operation) - IMDSv2 required = true (enhanced security for instance metadata) - EBS encryption = enabled by default **Rationale:** These defaults follow AWS Well-Architected Framework: - t3.micro provides good balance of compute/cost for many workloads - IMDSv2 prevents SSRF attacks against instance metadata - EBS encryption protects data at rest - Minimal IAM permissions follow least-privilege principle **Escape Hatch:** Access the underlying CDK Instance via the `Instance` property on the returned resource for advanced scenarios not covered by this builder.