[belter]

If you are on AWS you dont need bastion hosts anymore. Use Session Manager.

[acdha]

I agree in general but there are a handful of edge cases which Google solved better with IAP: SSM can't forward ports to other hosts or any resource other than EC2. It's great for using SSH, SFTP, even tools like Ansible work fine, but if you need to get a port forward to something like RDS, a service in Fargate, etc. you'll need something else.

[jvolkman]

We still need bastions to connect to RDS. But we connect to the bastions using SSM.