Security Group Best Practices

Tight scoping.

Overview

AWS Security Groups are the stateful firewall layer attached to every ENI; they decide which traffic reaches the workload. The difference between a tight SG posture and a sloppy one is the difference between a contained compromise and a network-wide one. Hygiene matters more than any single rule because it catches whole classes of exposure that single-rule audits miss.

• Tight per-port, per-source scoping. Open only the ports actually needed, only from the sources actually needed. 0.0.0.0/0 on management ports is the recurring finding in cloud audits.
• SG-to-SG references over CIDRs. Allow from another SG by ID, not from a CIDR range. Cloud-native and resilient to IP churn.
• Named rules with descriptions. Every rule answers “why does this exist” in its description field. Future investigations stop guessing.
• IaC-managed plus quarterly review. Terraform or CDK supplies the audit trail; a recurring review catches drift before auditors do.

The approach

Three habits keep SG sprawl under control: SG-to-SG references for east-west traffic, named rules with descriptions, and IaC management with periodic review.

• SG-to-SG references. allow from sg-app-tier beats allow from 10.0.1.0/24. Blast radius shrinks; refactors stay safe.
• Named rules. The description field is mandatory. No anonymous “allow 443” rules in the account.
• IaC managed. Terraform or CDK. Console edits are caught by drift detection and reverted at the next plan.
• Quarterly review plus per-VPC policy. Standing review for over-broad rules; per-VPC the SG strategy lives in the security runbook.

Why this compounds

Each tightened rule and each refactored CIDR-to-SG reference reduces attack surface a little more. The team's network mental model sharpens; new services inherit the conventions instead of recreating sprawl.

• Attack surface reduced. Tight rules close the recurring audit findings before audits ask.
• Service inventory documented by rules. Named SG rules become a map of how services actually talk to each other.
• Compliance posture improved. Tight SGs satisfy SOC 2, ISO 27001, and PCI controls without bespoke remediation work.
• Year-one investment, year-two habit. The first cleanup is heavy. By year two, every new service ships with conventional SG references on day one.