At least two techniques exist for jumping "through" a bastion host to a "hidden" server. In the following examples, the bastion host has the hostname BastionHost whereas the target host has the hostname TargetHost.
First, we log in to the bastion host
ssh -A -i key.pem ec2-user@BastionHost
From there, we can simply login to the target host
ssh TargetHost
Instead of logging in to the bastion host it is possible to use it as a proxy by using the following command
ssh -i key.pem -J ec2-user@BastionHost ec2-user@TargetHost
To run commands on the target host use the following command
ssh -i key.pem -J ec2-user@BastionHost ec2-user@TargetHost uname -a
In this case the command uname -a has been run on the remote server.
For copying file to or from the target host it is possible to use the following command
scp -i key.pem -o "ProxyCommand ssh ec2-user@BastionHost -W %h:%p" file ec2-user@TargetHost:~/