AWS limits the amount of groups you can apply to a network interface: Security groups per network interface 5

A common approach is to create SGs such that it's easy to update your fleet of servers, but in a way that still makes sense for all the hosts they're applied to.

Consider these points

These factors will shape what you'll want to open up for your instance security groups.

• Use NACLs for course grain permissions
• Use SGs for more specific access
• Put your instances in a private subnet (this advice is for non-public facing instances. e.g where you've used an ELB to connect to your web instance)

A generic approach

Given all this, a common approach would be:

• All Instances get a common security group (this has rules you want applied for every instance)
• Each Instance has a role, like "web server" or "mail server" or "postgres db" and each role has an associated security group
• Your specific instance may have an additional security group for any customisations that aren't covered by the first two groups

Variations on the "common" SG:

• "common_linux OR common_windows"
• "common" AND "common_linux OR common_windows".