5 Not To Ignore Best Practices For Aws Security Groups

To secure AWS resources 24X7 from unwanted attacks, you must always have the right combination of VPC, Network Access Control Lists (NACLs), and AWS Security Groups (SGs).

AWS Security groups are cloud firewalls that help protect applications and data. They restrict access to certain IP addresses or resources. They guard your AWS security perimeter, always, provided you configure them in the right way! Here are five best practices you must never ignore while configuring AWS SGs.

#1 Ensure EC2 SGs Do Not Have Large Range of Ports Open

Large port ranges, when open, expose the instances to unwanted attacks. More than that, they make traceability of vulnerabilities very difficult. For instance, your web servers may only require 80 and 443 ports to be open, but not all.

One of the most common mistakes we observe is users open all ports for range, in a rush to access the instance and later forget to fix it!

When running on EC2 instances, you must expose your apps only to those ports enabled on the corresponding security group level.

#2 Use ELB’s SGs Wisely to Restrict EC2s’ Access to the Internet

Even though a web server’s port 80 or 443 needs access to, it need not be open directly. Use an AWS ELB to receive all incoming traffic from the internet and forward it to these web servers or EC2s, then allow these EC2s to intake incoming traffic from the ELB only. Lock down ingress rules for these instances to the ELB SG. This way, no one will be able to reach the EC2s directly.

#3 Never Keep Unattached Security Groups & Limit Modifications to Only Certain Roles

Security configurations on AWS are dynamic. An administrator can change these configurations anytime. With the presence of unattached SGs, the risk of misconfiguration increases, because it makes it difficult for an administrator to figure out attached and unattached SGs in a large scale infrastructure. Chances of him/her changing the configurations of wrong SGs or accidentally attaching them to public instance becomes high, inadvertently opening up your environment to attacks.

Pro tip: The easiest way to identify unused security groups is to browse through security groups list, select ALL, and click Delete. AWS shows the list of attached SGs and prompts to delete only unattached SGs. Once you hit Delete, only unattached SGs are removed. The best way is to use an automated program doing this as part of your regular audits.

Just like an administrator accidentally misconfiguring SGs, other IAM roles with access to modifying SGs can misconfigure them too. Authorize only specific users to modify resource-specific security groups.

Keep a constant eye on IAM policies with a check on instance metadata, network ACLs, and SGs together. Only selective users must be able to change only a particular security group in a given region so that they can update or modify  as and when needed.

#4 Do Not Ignore Outbound Rules of an SG; Set Restrictions Decisively

By default, an AWS SG does not have any ingress rules, and the outbound ports are open to the Internet. That emphasizes the fact that not only ingress rules need attention. However, egress rules need attention too. So, SGs attached to an application layer should only allow egress connections to the layer where it needs to connect. For instance,  if the web layer is only authorized to initiate connections to the application layer, the egress rules should only point to application-specific ports and specific subnetworks (e.g., VPC, security groups).

#5 Track Rate of Change in SGs’ Creation & its Ports Opening & Closing, in Production

If an SG was created and its port was opened and closed in a very short duration of time, say less than 30 minutes, it typically is a case of suspicious activity. Especially, if it is in the production environment. The best way forward is to parse the AWS Cloud Trail logs in the production environment, compare with usual patterns and monitor the activities.


There are tens of other best practices for AWS Security Group. Like avoiding opening SSH/RDP to other instances of production environment. All these are very important but the above list are  ‘must dos.’ You can use tools like Puppet, Chef, RunDesk, etc. in conjunction with AWS to automate security audits. However, it’s overwhelming to keep a track on all these tools on different dashboards.

Moreover, SGs alone do not help mitigate security risks. Like we said before, the right combination of VPC, NACLs, and SGs make up for the security of your infrastructure.

Having said that, multiple dashboards to monitor and manage all these resources will take the energy out of the team. A single visual console rendering the relationship between all these resources, showing all the port connections with ingress and egress details helps find vulnerabilities in a snap.

TotalCloud Inc. has rolled out a new Security View that will provide visual cues to security loopholes in real-time and in 3D space. Sign-up to try. Want to know how the visual cues to security renders, read this post.

Check out this video that gives a gist of AWS Security Group View:

P.S.: We have listed out top 5 best practices for AWS NACLs for you. Check it out!

5 Not To Ignore Best Practices For Aws Security Groups

Smart Scheduling at your fingertips

Go from simple to smart, real-time AWS resource scheduling to save cost and increase team productivity.

Learn More
More Posts

You Might Also Like

Cloud Computing
How To Migrate To Azure Faster?
Migrating from on premise data centers to a cloud provider is always considered a difficult endeavor. From the cost, to the planning and resource allocation, plenty of preliminary work is gone to setting up a cloud infrastructure. Which is why, Microsoft Azure’s new program stands to benefit many organizations still on the fence about migrating to the cloud.
July 21, 2021
Cloud Computing
Everything You Need To Know About Kubernetes Scheduler
When creating a Kubernetes cluster, scheduling the pod to an available node is an important component of the process. This component works under specific rules and technicalities that I’d like to explore in this article...
September 23, 2020
Cloud Computing
20 Cloud Influencers You Should Be Following in 2020
It’s important to follow the right individuals so that you remain on the loop and always find yourself learning things that you were unaware of. These thought leaders and influencers can only be the avenues by which you meet other interesting technologists.
September 23, 2020
Cloud Automation
New In: No-code cloud management workflows for Azure, VMware & Private Cloud (in addition to AWS)
At TotalCloud, we’ve been enabling workflow-based cloud management for AWS to make it intuitive, accelerated, and no-code. Instead of programming cloud management use cases or depending on siloed solutions, we built out a platform that gives you building blocks to assemble any cloud management solution. 
September 4, 2020
Cloud Computing
List of Essential Kubernetes Tools
Kubernetes is a Container-as-a-Service with tons of unique tools to choose from. External tools play a role in integrating with different systems or maintaining control over the clusters you deploy. Manual health checks and troubleshooting is not ideal to keep a system in full health.This list of tools will provide ample support to your containers and have enough configuration to leave management flexible...
August 12, 2020
AWS Use Case Files
TotalCloud Inventory Actions: Giving a new meaning to Cloud Inventory
Learn how the TotalCloud Inventory Dashboard can become equivalent to your cloud provider’s SDK. Carry out any action on any discovered resource with Inventory Actions.
July 30, 2020