We all know that no ports should be open to the internet for development purposes, but for convenience it's common to find a security group with port 22 (SSH) open to 0.0.0.0/0 . Even narrower ingress rules can create backdoors.

Here we'll show you how to create an auto-updating security group that adds your active WAN IP address when you connect. This way, only your active IP is authorized.

Create the "development" security group with no ingress

aws ec2 create-security-group --group-name=development --group-description="ssh access for my dev machine"

Create a limited role …