I need to restrict access of http(s) and pop/imap ports of an EC2 instance to a single country. Its a requirement from security auditor. It will not prevent access via vpn, but atleast it will not be directly open.
There are 2 questions here about the same topic : AWS EC2 Security Group SSH Access From USA Only,
AWS EC2 Security Group Web access from a single country?
The answers in both require adding netblocks of the country in Security Group. I would like to know if anyone has implemented it in production ?
Given the limit of 50 rules per security group and 5 security groups per instance, is it possible to add all netblocks in the security groups ?
Do the blocks change often ? Do we need automation to check and update daily ?
Finally, is there a better solution using AWS native features/services - may be using AWS Network Firewall ?