Security Groups Discipline

Tight scoping.

Overview

Security groups are the AWS network-control surface most teams over-permission. Loose rules accumulate until the cluster has 0.0.0.0/0 ingress on ports nobody can defend. The discipline below keeps the rules tight and version-controlled.

• Tight scoping. Per-port, per-source. Wildcard ports and broad CIDRs are the default that the discipline replaces.
• SG-to-SG references. Allow from another security group rather than from a CIDR block. The reference travels with the workload.
• Named rules. Description per rule explains why the rule exists. Reviewers do not need git blame to understand the intent.
• Version-controlled with periodic review. Terraform or CDK owns the rules; quarterly review catches drift before it becomes attack surface.

The approach

Four habits keep security groups tight: prefer SG-to-SG references, name every rule, manage in IaC, and review quarterly.

• SG-to-SG references. “Allow from web-tier-sg” beats “allow from 10.0.0.0/16.” Blast radius shrinks; rules survive autoscaling.
• Named rules. Description on every rule explains the why. Anonymous rules become orphans during the next review.
• IaC-managed. Terraform or CDK is the source of truth. Console edits drift and audits catch them.
• Quarterly cleanup plus per-VPC policy. Walk every SG each quarter; document the SG strategy per VPC so new rules know where they belong.

Why this compounds

Each tightened rule reduces attack surface for the lifetime of the rule. Compounded across hundreds of rules per account, the posture improves measurably.

• Reduced attack surface. Tight rules reduce exposure. Lateral-movement paths shrink.
• Service inventory. Named rules document inter-service communication. The SG file doubles as a service catalog.
• Audit readiness. IaC-managed SGs satisfy SOC2 and PCI controls without per-audit forensics.
• Year-one investment, year-two habit. The first review takes effort. By year two the discipline is reflexive and new rules ship correctly.