update docs

Author: Hweinstock

docs/arch_features.md

@@ -47,3 +47,19 @@ These modules show how to use and extend the "remote connect" functionality:
 -   CodeCatalyst: [openDevEnv()](https://github.com/aws/aws-toolkit-vscode/blob/c77fc076fd0ed837d077bc0318716b711a2854c8/packages/core/src/codecatalyst/model.ts#L252)
 -   EC2: [openSessionInTerminal()](https://github.com/aws/aws-toolkit-vscode/blob/c77fc076fd0ed837d077bc0318716b711a2854c8/packages/core/src/ec2/model.ts#L147)
 -   ECS: [openTaskInTerminal()](https://github.com/aws/aws-toolkit-vscode/blob/c77fc076fd0ed837d077bc0318716b711a2854c8/packages/core/src/ecs/commands.ts#L133)
+
+### EC2 Remote Connect Details
+
+The toolkit provides two options for connecting with EC2 instances: remote terminals and remote windows. Both connections are done via SSM, but the remote window involves an SSH tunnel over SSM. To establish the tunnel, there a few steps the toolkit automates the following:
+
+-   Update the `.ssh/config` file locally to leverage a connect script [resources/ec2_connect](https://github.com/aws/aws-toolkit-vscode/blob/master/packages/core/resources/ec2_connect) via proxy command.
+-   Generate a temporary set of SSH Keys, sending the public key to the remote instance.
+-   Use the SSM connection to tunnel an SSH connection that we can then pass through VSCode to open a remote window.
+
+Some additional technical details:
+
+-   The keys are generated via ed25519 if supported, otherwise RSA. The keys have a lifetime of 30 seconds.
+-   If insufficient actions exist on the attached IAM role, a prompt will pop-up asking to add an inline-policy.
+-   The toolkit maintains the invariant that each instance can be associated with a single active SSM session. All active sessions created through the toolkit are terminated on close.
+
+For more information, refer to the implementation in [ec2](https://github.com/aws/aws-toolkit-vscode/tree/master/packages/core/src/awsService/ec2)