AWS Cloud Formation (example 1)

SSH config

Host bastion
   HostName {bastionPublicIP}
   User ec2-user
   IdentityFile ~/.ssh/bastion.pem
   ProxyCommand none
Host slave
   HostName {instancePrivateIp}
   User ec2-user
   IdentityFile ~/.ssh/instance.pem
   ProxyCommand ssh bastion -W %h:%p

Cloud Formation template

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  BastionKeyName:
    Description: The EC2 Key Pair to allow SSH access to the bastion
    Type: 'AWS::EC2::KeyPair::KeyName'
  InstanceKeyName:
    Description: The EC2 Key Pair to allow SSH access to the instance
    Type: 'AWS::EC2::KeyPair::KeyName'

Resources:

  BastionEc2Instance:
    DependsOn: BastionSecurityGroup
    Type: 'AWS::EC2::Instance'
    Properties:
      SecurityGroups:
      - !Ref BastionSecurityGroup
      KeyName: !Ref BastionKeyName
      ImageId: 'ami-035b3c7efe6d061d5'
      Tags:
      - Key: Name
        Value: !Sub ${AWS::StackName}-bastion

  WebEc2Instance:
    DependsOn: InstanceSecurityGroup
    Type: 'AWS::EC2::Instance'
    Properties:
      SecurityGroups:
      - !Ref InstanceSecurityGroup
      KeyName: !Ref InstanceKeyName
      ImageId: 'ami-035b3c7efe6d061d5'
      Tags:
      - Key: Name
        Value: !Sub ${AWS::StackName}-web

  BastionSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Bastion SSH access
      Tags:
      - Key: Name
        Value: !Sub ${AWS::StackName}-bastion
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '22'
        ToPort: '22'
        CidrIp: 0.0.0.0/0

  InstanceSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Instance access
      Tags:
      - Key: Name
        Value: !Sub ${AWS::StackName}-instance
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '80'
        ToPort: '80'
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: '22'
        ToPort: '22'
        "SourceSecurityGroupId": {
          "Fn::GetAtt": [
            "BastionSecurityGroup",
            "GroupId"
          ]
        }