The defence in depth concept makes sense. The good news is that if I understand correctly, security groups fail closed - so that makes things a little safer.
Just spoke to an AWS Architect, and the points made were similar - more secure default state, less chance of screwing up - ham fisted attempts at security groups can open things up too much, private subnets are tough to expose unintentionally, adding multiple security groups makes the rules less restrictive, possibly in unintended ways, etc.
Just spoke to an AWS Architect, and the points made were similar - more secure default state, less chance of screwing up - ham fisted attempts at security groups can open things up too much, private subnets are tough to expose unintentionally, adding multiple security groups makes the rules less restrictive, possibly in unintended ways, etc.