Check that granted permissions are as desired, as developers often create open security groups for testing and forget to close them before moving them to production.
AWS Config provides rules such as restricted-ssh that can be used to detect Security Groups that have SSH access open for any IP, which is not good practice. We recommend using AWS Systems Manager Fleet Manager that does not require opening any inbound ports, or the use of hardened bastions.
If you handle loads with Microsoft Windows, you can take advantage of AWS Systems Manager Session Manager to use Powershell, but you require bastions to access via Remote Desktop Access (RDP). You can use the AWS Config restricted-common-ports rule by indicating port 3389 as one of the parameters to detect open RDP ports.
Another recommendation is the use of references in security groups, for example, in a web application:
Thus in this way, web instances only serve traffic that comes from the ALB (where you can configure AWS WAF , ensuring that all inbound traffic to web instances has been inspected. The database service only serves requests from web servers, and if a new instance is added by autoscaling, it will be added to the security group and will be able to access the database.