AWS supports security groups.
Access is provided to create a security group for a jump box with SSH access only for port 22 open. Later, a webserver group and a database group are created. The webserver group provides 80 and 443 from around the world, but only port 22 will be vital among the jump box group. The database group allows port 3306 from the webserver group and port 22 from the jump box group. The addition of any machines to the webserver group can store in the database. No one can directly SSH to any of our boxes.