Accidentally discovered that EC2 security groups do not terminate an open connection (like SSH) when the security group rules or membership change. New connections will be prevented, but this will not terminate established ones.

See for yourself:

  • create an EC2 instance and give it a security group
  • add an ingress rule on port 22
  • SSH into it
  • change the security group; remove the instance from that group altogether, or just change ingress rule.
  • Observe how the SSH connection remains open

Tested this for N hours and SSH connection did not get terminated. So if someone is in your boxen, you can’t kick them out that way.

Heed the warning and plan accordingly.


update 2017-11:

Apparently Azure NSGs have the same flaw. Not even surprised.

Hosting AWS Docker Microservices Tooling Automation