That's the point of the article. If you have the default EC2 configuration, exposed SSH is not such a critical issue. That might be simple, but sometimes we follow best practices without understanding why we follow them.
If that was the point of the article, it should be mentioned at the beginning of the article.
Also they explicitly say they recommend, "never exposing SSH to accept connections from anywhere" despite making it clear, literally the paragraph prior, that using key pair authentication is not uniquely risky in any way.
So they do exactly what every security "expert" does, and recommend the most onerous, least functional solution because it covers their asses, rather than actually think for five seconds about the specific circumstances.
Also they explicitly say they recommend, "never exposing SSH to accept connections from anywhere" despite making it clear, literally the paragraph prior, that using key pair authentication is not uniquely risky in any way.
So they do exactly what every security "expert" does, and recommend the most onerous, least functional solution because it covers their asses, rather than actually think for five seconds about the specific circumstances.