TLDR
We have a long list of IP addresses in a single security group which is hard to manage. AWS makes it feel like you can have nested groups, but you can't. Am I right?
Background
I do not have any problems with configuring and using security groups. The question is more nuanced, this sets the background.
We have security groups configured to whitelist access to development instances/services. Due to our configuration pattern being a whitelist, we constantly have to add new IP addresses all the time, depending on where members of the team are working from. And crappy ISPs without static IP addresses.
This is not the problem. But picture a growing mess of IP addresses.
Problem
Occasionally we like to expunge this whitelist (because crappy ISPs) and make sure the IP addresses are relevant, up-to-date and should still be on the whitelist.
We are finding ourselves reluctant to do this as currently the only way to effectively "clean" the whitelist is to bin and start over.
AWS does not seem to present a neat way of either labelling records in security group rules, or to allow nested security groups.
Current Work Arounds
Have lots (potentially hundreds) of separate security groups, and make sure these are always attached to the relevant services.
Pro: easy to label/identify IP addresses (eg Bob's Home IPs) so Bob can remove the old IP address and replace with his new one.
Con: Each security group must be attached to the relevant instances and this list could get quite long.
Keep a separate IP/lookup list, and have one security group
Pro: Means you only need one security group.
Con: Having to keep two lists up-to-date, not very practical and you will get mis-matches.
Automation of some kind. Build a service which periodically checks the security group, and stores these IPs in DynamoDB along with some basic geo-ip/ISP information. Use as a reference.
Pro: like #2 but automated. Not 100% accurate because geo-ip lookups never are.
Con: Have to write and maintain the utility for something that feels like it should already exist.
Hopeful Solutions
Sub/nested security groups. The AWS configuration interface actually implies you can do this - but it does not work as expected. EG primary security group has rules which allow inbound traffic from other security groups - these in turn have the IP addresses logically grouped together.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
When you specify a security group as the source for a rule, this allows instances associated with the source security group to access instances in the security group. (Note that this does not add rules from the source security group to this security group.)
I find that documentation a little contradictory. From experimentation it does not work.
Label each record. This plainly doesn't exist and would be a feature request for AWS.
Am I missing something? How do other people manage large security groups?
