2 Answers
I would try to put each instance on a different subnet on the same VPC and have the Network ACL not have access to the CIDR block that each one uses.
if you have provided the read access then the user will able to see the instances. You can’t restrict view access but you can restrict actions.