AWS: Securing ECS Services with ALB & Custom Security Groups

TUSHAR PATOLE — Tue, 08 Jul 2025 13:20:04 +0000

This is my first post on Dev.to, and I'm excited to share a project I recently worked on that had a real impact on our cloud infrastructure's security.

he Problem
When I joined the team, I noticed that the previous DevOps engineer had configured a shared security group with all ports (0–65535) open — applied across both production and development resources.

This was a huge security risk. Anyone could potentially access our services without restrictions, including databases, internal APIs, and ECS containers.

So I decided to redesign the network access architecture, implementing proper environment segregation and least-privilege access rules.

✅ What I Did
I created separate ALBs and dedicated security groups for each environment:

Security Group Environment Purpose
DEV-ALB-SG Development For Dev ALB — handles traffic to dev ECS apps
DEV-ECS-SG Development ECS tasks like shypbuddy-admin-dev, -seller-dev
PROD-ALB-SG Production For Prod ALB — exposes only required ports
PROD-ECS-SG Production ECS tasks in Prod — only allows ALB traffic

🔐 Why This Matters
Prevents unauthorized access
Reduces the attack surface
Helps with auditability and resource isolation
Builds a scalable and secure ECS architecture
Never trust existing security rules blindly
Apply strict, scoped access between services
Review and tag your AWS resources for better visibility

Have you encountered similar security issues with open ports or misconfigured SGs?
Comment below — I’d love to hear how you handled them or any feedback on my approach.

DEV Community: TUSHAR PATOLE

AWS: Securing ECS Services with ALB & Custom Security Groups