Consider not locking root user ssh access
While in theory it might provide some security benefits, locking it out on EC2 doesnt make much sense.
It's much more user-friendly to allow ssh publickey access and greet user with something like in authorized_keys for root:
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"alpine\" rather than the user \"root\".';echo;sleep 10"
This makes it easier for end-user to figure out what username should be used to access the machine and, if their business processes require ssh-publickey root access, makes it easier for them to unlock the user (using the same scripts as are used for all the other Linux/BSD OSes available on Marketplace/public images).