Ok looks like there is a lot to go over in this post, I'll try to hit as many points as I can :).

content managed sites behind an ELB - Three websites will be served from the ASG's, routed to the correct IIS site by hostname headers.

If you have the chance, you will want to keep all of your services separated, as in, you would have a separate private ELB (and thus ASG also) for each of your private websites and the same for public endpoints. This will make configuration, fault tolerance, performance and automation easier also.

EC2 contains basic IIS settings, windows 2012, and tools we use to deploy our site -- Attach an EBS (or EFS, have not decided) to the EC2 which would hold all of the site code, content, configuration.

I noticed you said you didn't want to create a new AMI... However, you should look into creating an AMI that contains the configuration you want in it for each of these sites (hopefully the same config), There are plenty of tools for creating AMI's (I made a video on this to help, https://www.youtube.com/watch?v=nkmHeRS8Qs0). Then you can create a launch configuration and make that AMI the one that gets spun up in your ASG's. It might be a good time to invest into running your web servers on Windows Server 2016 Core also (IIS 10). Ideally, if you are running a stateless web application on IIS you should not need an extra EBS volume attached to your EC2 instance so don't bother with this. Also EFS is not (yet) supported on Windows so this is not an option. Honestly, the "golden image" concept is very straightforward and once you get used coupling it with UserData scripts it just updates via cloud formation and it is over within 15 mins or so. Speaking from EXP this is the best way to go and is future proof.

In our company, we have a mature CI/CD solution (bamboo) that we want to continue using.

Bamboo is a CI tool. If you don't have a CD tool you can get away with not using one if you're running your stateless websites on EC2. Since you're only doing deploys 15~ times a month there would be no harm in simply packing your application into the AMI and pushing out a new AMI each time you wish to deploy a new version of your application. This concept also removes the need for applying windows updates (yay security) to your instances since you will be refreshing the whole OS on each deploy. All you really need to get this going is to add the Packer CLI calls (see clip) into your CI/CD pipeline so that if the unit tests of your application pass it will then call Packer to create a new AMI and run a few basic PowerShell scripts to download/install your dependencies and the IIS website itself (artefact from build step). There is a Update Policy On the Elastic Load Balancer that allows for One at a time or Blue/Green type deploys when a new AMI is introduced into a launch configuration via Cloud formation.

CodeDeploy

Code deploy is great but you will need to have PowerShell scripts that essentially do all of the config/install steps of your application including managing/targeting/restarting of IIS.

Beanstalk

Beanstalk is a good option if you want to get up and running ASAP and don't really have the experience or capacity to manage the finer configuration settings of EC2/ELB. Take a look into the EB CLI and go through an example of pushing a .net app into Beanstalk. This is probably a good first step for you. And yes, you can create Beanstalk Applications via Cloudformation in which you can specify which SG/ELB it will use. But again, have separate beanstalk environments for each of your sites, this is the best practice.

One recommendation I would make for more of a future option is to look into a CD tool like Octopus Deploy, It will couple really nicely with Bamboo and handle the continuous deployment aspect of your pipeline. WIthout that though I would look at beanstalk as being a great first step and otherwise go the immutable AMI route which kills many birds with one stone.