Fully open security groups are wholly open to all of the internet including from geographic locations with no business benefits
Security Groups are a key tool in AWS for managing network traffic within and entering your cloud resources. They are typically associated with specific network interfaces, which are then attached to instances, load balancers, gateways, and other cloud resources. In most scenarios, having a network interface with completely open inbound traffic is unnecessary, except in rare cases where legal requirements mandate open access to information. In all other cases, restricting network traffic is essential for maintaining a strong security posture and protecting your services.
For Security Groups handling internal VPC traffic, we recommend setting inbound traffic ranges to the private network address space assigned to the VPC rather than setting the rule as fully open. Whilst this is practically the same in most attachments it does add an insecure security group configuration to your account that can be incorrectly configured elsewhere in your cloud.
For externally facing Security Groups, such as those attached to load balancers, it’s advisable to limit traffic by layering services that include Geoblocking functionality such as AWS CloudFront. This approach helps to geographically restrict inbound traffic to regions where your business operates legally.
Allowing traffic from the entire internet means your services can be accessed from regions where legal sanctions prohibit business operations. Since there’s no legitimate business need to receive traffic from these regions, blocking them is not only best practice but also reduces the risk of malicious attacks. Our experience is that regions where business cannot be legally conducted often overlap with areas known for cyber threats. Based on our experience, open Security Groups are rarely necessary, and any attacks on resources behind them typically originate from areas such as these. If it aligns with your business’ goals then it can be considered a small or non-existent loss to make a substantial security gain.
This is a Security Group version of our Cloudfront rule where distributions are not enforcing Geoblocking
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
As with our Cloudfront rule A-CF-2, the technical implementation of blocks can be simple with the caveat that blocking IP locations can surpass the rule limit on security groups. With that in mind, it’s unlikely that security groups are the only endpoint protection for public endpoint when both Cloudfront and AWS Web Application Firewalls provide additional protection outside of simple IP restrictions.
A common setup is to utilise an Application Load Balancer to expose applications to Cloudfront or to have an AWS WAF attached directly to the Application Load Balancer. Either Cloudfront or AWS WAF can provide Geolocation blocking functionality removing the requirement to tie IP addresses to physical locations.
If using Cloudfront in this manner you can utilise the AWS managed Security Group to restrict requests to your Load Balancer to only allow access from AWS Cloudfront, ensuring that your service’s access route remains constrained to a single entrypoint.
Architectural design decisions such as this can be provided by our architectrural support team who are happy to talk through various patterns that can suit your use case: