• Bastion Host, has its own security group, must allow inbound from the internet on port 22 from restricted CIDR, e.g. the public CIDR of your corporation.
Restrict as much as possible to guarantee that only a few select IPs can access it.
The SG of the EC2 instances in the private subnets must allow the SSH access, on the port 22 again, from this time the private IP of the bastion host or the SG of the bastion host, this is equivalent.
