Security Group Rule Linter

About This Tool

AWS Security Groups act as virtual firewalls for EC2 instances, RDS databases, and other VPC resources. A single overly permissive rule — like allowing 0.0.0.0/0 on port 22 — can expose critical infrastructure to the entire internet. This linter analyzes your security group rules against AWS best practices and CIS Benchmark recommendations, flagging issues like unrestricted inbound access, overly broad port ranges, and rules that allow all traffic (protocol -1). It provides severity ratings and specific remediation guidance for each finding.

When to Use This Tool

• •Auditing security groups before a compliance review to identify CIS Benchmark violations and remediate them proactively
• •Reviewing proposed security group changes in pull requests to catch overly permissive rules before they reach production
• •Scanning existing security groups for rules that allow SSH (22), RDP (3389), or database ports (3306, 5432) from 0.0.0.0/0
• •Validating that security groups follow organizational standards like restricting management ports to specific CIDR blocks

Frequently Asked Questions

Why is allowing 0.0.0.0/0 on any port considered a security risk?

The CIDR 0.0.0.0/0 matches every IPv4 address on the internet. When combined with a specific port, it means anyone worldwide can attempt to connect to that service. For management protocols like SSH or RDP, this exposes you to brute-force attacks, credential stuffing, and exploitation of unpatched vulnerabilities. Even for web traffic on ports 80/443, you should use a load balancer or CloudFront distribution as the entry point rather than exposing instances directly.

What is the difference between security groups and NACLs?

Security groups are stateful — if you allow inbound traffic, the response is automatically allowed outbound. They operate at the instance level and only support allow rules. Network ACLs (NACLs) are stateless, operate at the subnet level, support both allow and deny rules, and evaluate rules in numbered order. Most teams use security groups as the primary control and NACLs as a secondary defense layer for subnet-wide restrictions.

How many rules can a security group have?

By default, each security group can have up to 60 inbound and 60 outbound rules. This limit can be increased to 200 by requesting a quota adjustment, but the product of security groups per interface multiplied by rules per group cannot exceed 1,000. If you are hitting limits, consolidate rules using broader CIDR blocks or reference other security groups as sources instead of individual IPs.