Should you let yourself ssh into every machine in your network?

I am wondering how you should setup your network (AWS) so you can debug different things that might occur. Obviously there’s logging, but it seems at some point you might require SSHing into the actual machine of interest and checking around. If this is the case, it seems you would need to open up port 22 on every machine in the network. To make it secure, I would only allow bastion host to connect to my IP address, and then every other machine only allows connections from the bastion host on the internal network. Is this considered bad practice? If so, what is the right way to go about this situation?