Bastion Hosts in AWS are essentially jump boxes, a machine that you access which then in turn allows you to access resources on a more restricted network. In terms of AWS, you may have resources on a private subnet that you do not want users to be able to access openly. In this case you can utilize a Bastion Host, this will be an EC2 instance in a public subnet with a security group restricting who can access it, perhaps only a set IP range in your office. The EC2 instances in the private subnet will have a security group that only allows SSH traffic from the Bastion Host, requiring that it is used in order to successfully access the private network. So in short, users access the bastion host and then perform the necessary connections into the private network from the Bastion Host