Assuming Machine A is target machine which I want to SSH into finally while Machine B is a bridge machine (bastion host). These two machines are accessible using the same PEM file.
The security group of Machine A allows SSH connections only from Machine B. So If I want to connect to Machine A, I need to connect through Machine B.
How can this be accomplished without placing the PEM file on the bastion host?
You can use ProxyCommand. I prefer defining the following in your ~/.ssh/config file.
host MachineB
HostName <MachineB-IP>
IdentityFile <Full Path of .pem file>
User username
host MachineA
HostName <MachineA-IP>
ProxyCommand ssh MachineB nc -w 120 %h %p
IdentityFile <Full Path of .pem file>
User username
Then access MachineA like:
$ ssh MachineA