Security groups are an essential control when protecting both a resource or network in the Amazon Web Services cloud. They are rules that dictate who, entities by IP address and protocol, can communicate with your hosted networks and/or individual devices. A misconfigured rule can lead to near fatal results, granting access to the entire internet. With open access, malicious attackers will certainly make attempts to access the resource, increasing the chances of compromise by a wide margin.
Permitting traffic from any internet host to any port is generally discouraged, as a security best practice. Rules configured this way expose all ports and services on a host to any internet IP. This can result in malicious actors scanning administrative ports like SSH or RDP and attempting to brute force entry. These rules can almost always be reconfigured to be much more restrictive while still allowing legitimate users to connect to your application.
An example any/any Security Group rule is shown below. Note the 'All' under 'Protocol' and 'Port Range'. 'All' in these columns means the remote host can connect to ANY port/service on your VM. Note also the 'Source' column. '0.0.0.0/0' and '::/0' means ANY IP address.
Instead, CUIT recommends opening traffic to ONLY the ports and IP ranges that your application requires. This may mean creating more complex rules, but it will result in greatly improved security. In the following example, the Security Group is configured to permit traffic from any IP address, but ONLY to ports 80 and 443, for web traffic. With this configuration, administrative ports like SSH and RDP are not open to the internet.
Existence of this rule will almost guarantee an attacker gaining illicit access. For help configuring a security group, please see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html