This is a game changer. I have a bastion host in certain environments I never realized AWS has built in kit to achieve this sort of thing. I assume the key product here is SSM?
Correct. It’s not always this simple though, you also need an IAM profile that the EC2 instance can assume with the required permissions. Depending on how you configure your NAT Instance/Gateway, you may also need to whitelist the ssm service.