Jump hosts seem like an anti-pattern in the era of AWS SSM and Tailscale.
It is far too easy to misconfigure network policies and grant them access to infrastructure that they shouldn't.
And with Tailscale you can run the agent within SaaS products like Github Actions or Terraform Cloud to securely manage their access into your systems.
I believe you still need a bastion host to query a database, for instance, unless you want to set up SSM on existing hosts - my current project is fully serverless, so I had to set up an EC2 instance to serve as the bastion. The beauty of SSM is that the host can be fully on a private subnet, not exposed to the wider internet as commonly suggested.
Yeah, if you’re using managed services within AWS you need a relay host. It doesn’t need to punch a hole to the outside world (like a bastion host) but it still needs some manner to allow tailscale (an ec2 box) to route to those services.