Aren’t you missing one of the key bastion benefits? that you can configure it using whatever authentication system you want, and use that as a edge delegation point almost. The AWS provided filtering tools (NACL/SG) only filter at the IP level — they don’t provide authentication. Most scenarios where I’ve recommended them, they are used for this dual benefit.