EC2 - should security groups be specialized and stacked?
AWS limits the amount of groups you can apply to a network interface: Security groups per network interface 5
A common approach is to create SGs such that it's easy to update your fleet of servers, but in a way that still makes sense for all the hosts they're applied to.
Consider these points
These factors will shape what you'll want to open up for your instance security groups.
- Use NACLs for course grain permissions
- Use SGs for more specific access
- Put your instances in a private subnet (this advice is for non-public facing instances. e.g where you've used an ELB to connect to your web instance)
A generic approach
Given all this, a common approach would be:
- All Instances get a common security group (this has rules you want applied for every instance)
- Each Instance has a role, like "web server" or "mail server" or "postgres db" and each role has an associated security group
- Your specific instance may have an additional security group for any customisations that aren't covered by the first two groups
Variations on the "common" SG:
- "common_linux OR common_windows"
- "common" AND "common_linux OR common_windows".