Similar as done by the swam plugin, it would be useful to have a new type of AMI (besides "Windows" and "Linux") which launches ec2s that connect themselves to the master, thereby forming an ad-hoc agent cluster.
Like this, such an agent is fully responsible to launch completely (e.g. for Windows it might do an auto-logon,..) and afterwards connects to the master via JNLP.
The jenkins master does not have to connect to the agent in this case and therefore needs no credentials to connect via SSH or WINRM.

Rough idea /summary for the required changes:

• have a new AMI type "self connecting"
• this type of AMI has no launcher but instead used the default JNLP launcher
• make ssh key field optional (not required for the new AMI type)
• when launching the ec2, provide node name, secret and master URL as labels (ec2 can easily parse labels via ec2 metadata and use the info to connect to the master)