I find this question confusing. Is the goal to connect to AWS, or is the goal to set up some service on Digital Ocean?
If you set up a Digital Ocean droplet on FreeBSD, logins use a key rather than a password.
I assume you would have to setup some sort of dynamic DNS scheme. Personally I don't like to do anything that I can't control 100%, so that would be a show stopper for me. That is, I wouldn't want to lock myself out.
There is nothing wrong with being paranoid, but I would set up an oauth scheme to lock out hackers rather than a firewall. Now that said, I have significant firewall blocking on some of my ports. For instance, geographical blocking on all email ports other than 25. I don't have a reason to retrieve my email from say Kazakstan, hence I block that country. This snares many a hacker.
You could whitelist your ISP, but IP space is bought and sold and hence dynamic. You could set up port knocking detection:
My point is locking yourself out of your VPS is a situation where no one can save you. I'd rsync to another service so at least you don't lose your data.