You’re scaling fast. Your devs are shipping features. EC2 instances are spinning up on autopilot. And buried in that glorious CI/CD pipeline is a lazy security group rule like this:
0.0.0.0/0 → SSH (port 22)No IP restriction. No bastion host. No multi-factor. Just wide-open doors. And guess what? It’s shockingly common. Not because your team is reckless, but because EC2 security groups are too easy to ignore — until someone makes you pay attention the hard way.
Why Most Teams Ignore EC2 Security Groups
Honestly? Because they’re boring. Security groups feel like one of those “we’ll fix it later” things.
- No part of the app logic
- No CI breakage
- Invisible until disaster
And AWS doesn’t help:
- Default VPCs allow overly permissive rules.
- Launching EC2 from the console suggests common ports pre-filled.
- Security groups don’t scream when misused — they just quietly leave you exposed.
The Real-World Costs of Lazy Security Groups
Let’s go beyond fear and get into what happens:
1. You get hit by botnets scanning for open ports.
Within minutes of launching a public EC2 instance, automated scanners hit you. If your SSH is open globally and no fail2ban or MFA is set up? It’s game on.
2. You leak internal services unintentionally
We once found an internal API — meant for inter-service calls — publicly exposed. Why? Someone reused a security group that had 0.0.0.0/0 on port 3000.
3. You become a jump point for lateral movement.
Compromised EC2 → pivot to RDS → pivot to S3 → pivot to IAM.
Attackers don’t need root access — they just need a foothold.
The 5 Things Every EC2 Security Group Should Be Doing
This is what we now enforce across all environments — dev, staging, and prod. No exceptions:
- No Global SSH Access (Ever)
- 0.0.0.0/0 → port 22 BAD
+ YourOfficeIP/32 or BastionHostSG → port 22 GOODIf you need global SSH, you’re not set up for remote access—you’re set up for remote exploitation.
2. One Purpose Per Security Group
Don’t mix everything in one SG. Each group should represent a single intention:
- Web servers
- Internal APIs
- DB access
- CI/CD agents
This way, you know what you’re allowing — and why.
3. Use Tags to Force Accountability
Every security group should be tagged with:
- Owner (email or Slack)
- Environment
- Purpose
- LastReviewed
You’d be shocked at how fast people clean up rules when their name is attached.
4. Regular Ingress Audits (Automated or Manual)
We run a weekly script that
- Flags security groups with 0.0.0.0/0
- Diffs recent changes
- Sends a Slack message to the owner
You can do the same with a Lambda or third-party tool like Prowler, ScoutSuite, or AWS Config.
5. No Security Group Without a Description
If you can’t describe what a rule is for in plain English, it shouldn’t exist. This rule alone has prevented us from inheriting ghost rules no one wanted to own.
Treat Security Groups Like Code, Not Afterthoughts
Here’s the biggest mindset change that saved us:
If it affects access, it affects availability and trust.
Security groups are not “just infra.” They are part of your app’s architecture. A leaky group is no different from a broken auth system. And guess what? Attackers know EC2 security groups are where devs get lazy.
What You Can Do Right Now (That Takes <10 Minutes)
- Go to EC2 → Security Groups
- Filter by 0.0.0.0/
- Sort by open ports
- Ask, “Why does this need to be public?”
- Lock-down or replace with scoped SGs
That 10-minute audit? It might save you from the $100,000 “postmortem plus audit” combo you don’t want.
Don’t Be the Headline
Most breaches don’t start with a genius hack. They start with someone reusing a bad security group because “it worked last time.” Don’t be that team. Start with visibility. Then move toward policy. Then automate it. And please — lock down SSH before someone else walks in.
No comments:
Post a Comment