Blog ENG - AWS - Post 3 2025
As someone who spends a lot of time untangling cloud network policies in multi-account, multi‑VPC environments, I’ve come to see security groups as both a powerful control and a chronic source of drift. You start with clean intent and before long you’re copy‑pasting rules across VPCs, reconciling differences, and chasing down who changed what last week.
Two Amazon VPC capabilities tackle that operational friction head‑on: Security Group VPC Associations and Shared Security Groups. Together, they make it practical to define a rule set once and reuse it across VPCs and even across accounts (in a shared‑VPC model).
Why it matters
Security Group VPC Associations
You can associate a single, non‑default security group with multiple VPCs in the same Region and account, then attach that group to resources in any of those VPCs. Update the rules in one place; the change propagates wherever the group is used. This is ideal for organization‑wide baselines.
Key constraints to keep in mind:
- The security group and the VPCs must be in the same Region.
- You cannot associate default security groups or use default VPCs.
- To delete an associated security group, you must disassociate it from all VPCs and ensure no ENIs in those VPCs still reference it.
Shared Security Groups (with AWS Organizations + RAM)
In a shared‑VPC model (owner account shares subnets with participant accounts), the VPC owner can share selected security groups with participant accounts. Participants can then use (but not modify) those shared groups on their workloads deployed in the shared subnets, giving you consistent, centrally managed controls across teams without duplicating rules everywhere.
Important governance facts:
- Sharing works only within the same AWS Organization, with resource sharing enabled.
- The owner must own both the VPC and the security group; default groups/VPCs cannot be shared.
- Participants can describe and use shared groups, but cannot change rules.
How to apply these features in real life
Pattern 1: Organization‑wide baselines via VPC Associations
Define purpose‑specific baseline groups once and associate them with every VPC that hosts those tiers in the Region. When you tighten a rule (say, restrict port 80 to enterprise prefix lists), the change automatically applies across VPCs. Combine this with security group referencing to keep relationships explicit and maintainable.
Pattern 2: Centralized control in shared VPCs via Shared Security Groups
If your networking team owns a shared “landing zone” VPC, publish shared security groups and grant participants the ability to use them. You keep policy ownership and visibility in one place; they get a consistent set of guardrails without bespoke copies.
Quotas and “gotchas” you should plan for
- Per‑ENI security group limit (minimum applies): When a participant uses any shared security group on an ENI, AWS enforces the lower “security groups per ENI” quota between the owner and participant. If the owner’s quota is 4 and the participant’s is 5, that ENI is limited to 4 groups total. Design your attachments with this in mind (e.g., consolidate rules to fewer groups).
- Rules per security group: Rule edits on a shared group are checked against the owner’s “inbound/outbound rules per SG” quota. Avoid hitting limits by using managed prefix lists and SG references to reduce rule count.
- Deletion workflows: You cannot delete a security group that’s still associated to VPCs or attached to any ENI. Build disassociation steps into your automation and drift‑cleanup jobs.
- Scope boundaries: Associations are Region‑local and account‑local; sharing is Organization‑local. Factor that into multi‑Region rollouts and account topology.
Service coverage (what you can attach to)
The associations/sharing model works with core services you’d expect in VPCs, including Amazon EC2, Application Load Balancer, Network Load Balancer, Amazon EKS, Amazon EFS, AWS PrivateLink, and others. That keeps most common architectures in play without special‑case workarounds.
Practical tips & pitfalls
- Prefer SG references over CIDRs where possible: it reads like policy (“ALB can talk to Web”) and avoids brittle IP lists.
- Prefix lists are your friend for controlled ingress/egress; they also help tame rule counts.
- Tag everything. Tag groups with purpose, owner, environment, and whether they’re associated or shared; build lifecycle automation around those tags (makes future cleanup and audits much easier).
- Change management matters. A single edit to a widely associated/shared group affects many workloads. Treat baselines as controlled artifacts with approvals and staged rollouts.
- Know your boundaries. Associations won’t jump Regions or accounts; sharing won’t jump Organizations. Plan reproducibility per Region/account.
Final thoughts
For years, the lack of native reuse forced teams into a copy‑and‑tweak approach for security groups across VPCs and accounts. VPC Associations and Shared Security Groups change the dynamic: you can model intent once, apply it everywhere it belongs, and keep governance central without stifling team autonomy. If you’ve been fighting SG sprawl, these features are the cleanest path I’ve seen to consistency with agility. Start small: codify two or three baselines, associate them broadly, and publish them to shared VPCs. Then iterate. The payoff is immediate: fewer diffs to reconcile, fewer surprises during audits, and a network policy surface that stays aligned with how your architecture actually works.