There is no such thing as "Nested security groups".
In your question, you say "sg-teamA - IPs of team A members - all tcp". It appears you are using Security Groups as a way of listing IP addresses that you want to use as a source for Security Group B. However, this is not how security groups work.
The Inbound rules on a security group act like a firewall, determining what traffic to come into an EC2 instance. Rules define an IP address and a Port that are permitted access.
For example:
- Permit access from 54.22.33.44 on port 3389
Also, instead of specifying an IP address, Security Groups can refer to other security groups.
For example:
- Security Group A is associated with EC2 instance A
- Security Group B has an Inbound rule referring to Security Group A on port 3389
- Result: Security Group B will permit inbound access from any EC2 instance that is associated with Security Group A (To clarify: Any instance that has Security Group A as one of its listed security groups will be allowed to access resources protected by Security Group B, on port 3389)
If you have a list of external IP addresses (not related to EC2 instances) and you wish to permit them to access resources protected by Security Group B, then you will need to list them in Security Group B itself.
In your case, this means you should add the external IP addresses to your Security Group sg-RDP.
