What is a secure and user-friendly way to provide only a few users access to web app on Amazon EC2?

Option 4 - stop controlling the access through Security Groups and instead implement some decent authentication mechanism.

For example put an Application Load Balancer in front of the web app and configure the ALB to require Cognito authentication. Only authenticated users will make it through the ALB to your web app - problem solved. The Cognito can have local users or can be used together with your Azure AD or if you use Office365 in your organisation. This is quite a transparent way that doesn't require any changes to the app.

Alternatively if your web app supports it you should configure it to require SAML auth against whatever user directory your org is using - Office365, G-Suite, etc.

Hope that helps :)

Option 5 - stop managing Security Groups (essentially IP-based firewalls) and use TLS Client Certificates.

If you're using modern user management systems like Azure AD or LDAP, you already have the right tool to issue and distribute the certificates. You'll setup a private CA and configure the HTTP server (Nginx, Apache2 or AWS ALB) to authenticate by certificates. Whoever without a certificate, or with an invalid certificate (including expired ones) will not make it through the HTTP server. This requires zero change to the web app itself, and you can even drop any authentication in the app as certificates can serve that purpose in addition to access control.

One bonus point is that this works everywhere - be it AWS, Azure or your on-premises infrastructure. You can even reuse the exact same stack of credentials and configuration (except for AWS ALB) just fine.