You don't need that Bastion host
Henrik Sylvester Pedersen

Aren’t you missing one of the key bastion benefits? that you can configure it using whatever authentication system you want, and use that as a edge delegation point almost. The AWS provided filtering tools (NACL/SG) only filter at the IP level — they don’t provide authentication. Most scenarios where I’ve recommended them, they are used for this dual benefit.