EC2 Instance Connect can performserver/host authenticity checksby validating the instance’s SSHhost keyagainst atrusted host keyssource. When you rotate the instance’s host keys, the host presents anewfingerprint. If the trusted host keys source still contains theoldhost key, connections that enforce host key verification will fail with ahost key validationerror. The fix is to update the trusted host key record so the new host key fingerprint is recognized as valid. Therefore, the correct action is toupload the new host keyto the trusted host keys database used for EC2 Instance Connect host key verification.

Option A is unrelated: AWS KMS does not store or manage SSH host keys for EC2 Instance Connect validation. Option C is for AWS Systems Manager managed instances and has no effect on SSH host key validation. Option D rotatesuser/client authentication keys(SSH key pair used to log in) but does not resolve a failure that occurs specifically because theserver host keychanged and is no longer trusted. Updating the trusted host keys database restores the expected trust chain and allows Instance Connect to work again with the rotated host keys.