Analyze security group rules for overly permissive access and best-practice violations.
Last verified: April 2026
Output will appear here...The linter parses each security group rule and evaluates it against a configurable rule set. It checks source CIDR ranges against known risky patterns (0.0.0.0/0, ::/0), validates port ranges for common services (SSH, RDP, databases, admin interfaces), detects overly broad protocol rules (protocol -1 means all traffic), and flags rules missing descriptions. Each finding gets a severity score based on the combination of exposure (internet vs VPC) and service sensitivity (management vs application ports).
AWS Security Groups act as virtual firewalls for EC2 instances, RDS databases, and other VPC resources. A single overly permissive rule — like allowing 0.0.0.0/0 on port 22 — can expose critical infrastructure to the entire internet. This linter analyzes your security group rules against AWS best practices and CIS Benchmark recommendations, flagging issues like unrestricted inbound access, overly broad port ranges, and rules that allow all traffic (protocol -1). It provides severity ratings and specific remediation guidance for each finding.
During a quarterly access review, your security team runs all 47 production security groups through the linter. It flags 3 groups with 0.0.0.0/0 on port 5432 (PostgreSQL). Investigation reveals a developer opened them 6 months ago for a quick test and forgot to remove them. The databases were protected by password auth only, exposed to the internet for half a year.
Security groups referencing other security groups (sg-xxxxx as source) are more maintainable than IP-based rules. When instances scale, the rules automatically apply to new members of the referenced group.
AWS Config rule 'restricted-common-ports' can continuously monitor for the exact issues this linter catches. Use this tool to fix existing violations, then enable the Config rule to prevent new ones.
If you need temporary wide-open access for debugging, add a rule with a description like 'TEMP-DEBUG-REMOVE-BY-2026-04-10'. Then set a CloudWatch Events rule to alert if it's still there after the date.
The CIDR 0.0.0.0/0 matches every IPv4 address on the internet. When combined with a specific port, it means anyone worldwide can attempt to connect to that service. For management protocols like SSH or RDP, this exposes you to brute-force attacks, credential stuffing, and exploitation of unpatched vulnerabilities. Even for web traffic on ports 80/443, you should use a load balancer or CloudFront distribution as the entry point rather than exposing instances directly.
Security groups are stateful — if you allow inbound traffic, the response is automatically allowed outbound. They operate at the instance level and only support allow rules. Network ACLs (NACLs) are stateless, operate at the subnet level, support both allow and deny rules, and evaluate rules in numbered order. Most teams use security groups as the primary control and NACLs as a secondary defense layer for subnet-wide restrictions.
By default, each security group can have up to 60 inbound and 60 outbound rules. This limit can be increased to 200 by requesting a quota adjustment, but the product of security groups per interface multiplied by rules per group cannot exceed 1,000. If you are hitting limits, consolidate rules using broader CIDR blocks or reference other security groups as sources instead of individual IPs.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.