AWS Security Groups: The Access Control Gap Most SMBs Overlook
Security groups are AWS's primary mechanism for controlling network-level access to EC2 instances, RDS databases, Lambda functions, and other services. They work as stateful firewalls: inbound and outbound rules determine what traffic is allowed.
In practice, many SMB cloud environments have security groups that were configured quickly during initial setup and never reviewed. The result is rules that are far broader than necessary.
The Most Common Security Group Mistakes
Open inbound 0.0.0.0/0 on port 22 or 3389. These are the SSH and RDP management ports. Exposing them to the entire internet invites automated brute-force scanning. Management access should be limited to specific IP ranges, a bastion host, or AWS Systems Manager Session Manager — which eliminates the need for open ports entirely.
Open inbound 0.0.0.0/0 on database ports. RDS databases running on port 3306 (MySQL), 5432 (PostgreSQL), or 1433 (MSSQL) should never be accessible from the internet. Database traffic should only come from application security groups within the same VPC.
Unused rules that were never cleaned up. Development environments get security group rules added and never removed. Over time these accumulate into a broad surface of unnecessary access.
How to Audit Security Groups
AWS Config has a managed rule called restricted-ssh that flags security groups allowing unrestricted SSH access. AWS Security Hub runs similar checks as part of its foundational security standard. Both are quick to enable and useful for ongoing detection.
For a manual review, filter your security groups in the VPC console for rules with source 0.0.0.0/0 or ::/0. For each open rule, ask whether the source should really be the entire internet or whether it can be scoped to a specific CIDR range or security group reference.
Security Group References Over CIDR Ranges
Where possible, use security group references rather than IP ranges. For example: allow port 5432 from the application server security group rather than from a specific IP address. This is more maintainable — IP addresses change, security group memberships are managed centrally — and it is more accurate.
Cloudain Perspective
Security group reviews are part of Cloudain's standard cloud security assessment. We identify open rules, unused security groups, and opportunities to tighten network access without disrupting application workloads.
Cloudain
Expert insights on AI, Cloud, and Compliance solutions. Helping organisations transform their technology infrastructure with innovative strategies.