No op, but your practice is probably fine. More ideally, SSH would be locked down to your public IP address only. If you're already scripting this, you could just do a curl request to one of the many "what is my ip" services and set that instead of 0.0.0.0/0 as the security group IP address.
We also use bastion hosts. They're whitelisted for key-based SSH only access for our public IP addresses. We can jump around to other servers once we login to that one, but our externally facing servers never advertise anything other their base service (:443 or whatever is running on them).
I also use them with my personal servers and just leave them shut off when I'm not actively using them. This keeps costs down, but more importantly it permanently blocks off SSH access unless I'm specifically in need of it.
We also use bastion hosts. They're whitelisted for key-based SSH only access for our public IP addresses. We can jump around to other servers once we login to that one, but our externally facing servers never advertise anything other their base service (:443 or whatever is running on them).
I also use them with my personal servers and just leave them shut off when I'm not actively using them. This keeps costs down, but more importantly it permanently blocks off SSH access unless I'm specifically in need of it.