The workings of bastion hosts

The first thing that comes to mind when using bastion hosts is that the private key of the users who want to connect to an instance in a private subnet must be in the bastion host. This is simple but not a recommended approach, because if the bastion host is compromised, all the private keys associated with the users will also be compromised. This is the reason why SSH agent forwarding plays a major role in the implementation of bastion hosts.