How do I secure access to a AWS classic EC2 machine from my LAN

The access restriction for EC2 Classic works at 2 levels one at the OS based User Name and Password ( SSH key if linux based instance ) and then Security Group.

Given that you have told that the IPs tend to change on a daily basis; these are the alternatives you can try

Manual Process :

• Get the IP range from your ISP and put that to your allowed IP Range for Instance's SG.

Script Based Process :

• You can write a simple cron script, which can obtain your public IP and go and change the specified Instance's Security group everyday

Python - Boto Script to Perform the Daily SG Public IP Change for SSH-22 to your public IP address

import boto
import urllib2

def get_public_ip():
    ext_ip = urllib2.urlopen("http://curlmyip.com").read()
    return ext_ip.strip()

sg_name = '<your security group name>' #enter your Security Group's NAME

ec2 = boto.connect_ec2()
sg = ec2.get_all_security_groups(groupnames=sg_name)
sg = sg[0]

#remove existing 22 SSH rules - old CIDR IP
for rule in sg.rules:
    if str(rule.from_port) == '22':
        ec2.revoke_security_group(group_name=sg_name,
                                  ip_protocol='tcp',
                                  from_port='22',
                                  to_port='22',
                                  cidr_ip=rule.grants[0])

#Authorize today's Public IP
ec2.authorize_security_group(group_name=sg_name,
                             ip_protocol='tcp',
                             from_port='22',
                             to_port='22',
                             cidr_ip=get_public_ip()+"/32")

Using 3rd Party Tools :

You can use 3rd Party provided like Dome9; they provide services like you can obtain the session / instance to be accessible for specific amount of time etc. Check whether they offer a solution for your scenario.

Their Product : Dome9 gives You 1-Click Secure Access To Any Server, Anywhere

Keep recycling your credentials for the instances; this for additional security.