EC2 Instance Connect

Now you can replace your bastion hosts and use EC2 Instance Connect Endpoint. This blog entry explains it groups are important, you must open port 22 to the CIDR of the subnet of the endpoint on the EC2 security group. Read the white papers. Also a policy must be added to the user to allow access to the endpoint. You can find that information here.