Now you can replace your bastion hosts and use EC2 Instance Connect Endpoint. This blog entry explains it https://aws.amazon.com/blogs/compute/secure-connectivity-from-public-to-private-introducing-ec2-instance-connect-endpoint-june-13-2023/Security groups are important, you must open port 22 to the CIDR of the subnet of the endpoint on the EC2 security group. Read the white papers. Also a policy must be added to the user to allow access to the endpoint. You can find that information here. https://docs.aws.amazon.com/aws-managed-policy/latest/reference/EC2InstanceConnect.html