EC2 - should security groups be specialized and stacked?

AWS limits the amount of groups you can apply to a network interface: Security groups per network interface 5

A common approach is to create SGs such that it's easy to update your fleet of servers, but in a way that still makes sense for all the hosts they're applied to.

Consider these points

These factors will shape what you'll want to open up for your instance security groups.

Use NACLs for course grain permissions
Use SGs for more specific access
Put your instances in a private subnet (this advice is for non-public facing instances. e.g where you've used an ELB to connect to your web instance)

A generic approach

Given all this, a common approach would be:

All Instances get a common security group (this has rules you want applied for every instance)
Each Instance has a role, like "web server" or "mail server" or "postgres db" and each role has an associated security group
Your specific instance may have an additional security group for any customisations that aren't covered by the first two groups

Variations on the "common" SG: