AWS SECURITY GROUPS – secure-working.com

There is absolutely no excuse for getting Security Groups wrong, Security Groups should be used correctly and planned prior to anything being deployed into AWS.

Configure security group rules to permit ONLY necessary traffic based upon the actual component(s) you are protecting.
Ensure rules are configured to specific ranges and not overly permissive.
Don’t use large CIDRs like /8 or 0/0.
Ensure you have a clear description for each rule.
Where you are unsure of the functionality of a rule, seek guidance from your security team.
Where feasible, create single security groups and apply to multiple instances, where those instances are provisioning the same services.
When using VPCs ensure endpoints are leveraged for traffic flows into AWS services.
Never connect directly to instances, leverage either AWS SSM or as a minimum use a bastion host (jumpbox – if your lazy, stupid and want to waste money instead of using the AWS eco-system).
Delete any unused security groups.
ALWAYS, ALWAYS be aware of limitations: https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html