From 2668a662f8de8dcc71c8d5aeda146a341930b0c0 Mon Sep 17 00:00:00 2001
From: Jaanus Torp <jaanus@saun.ee>
Date: Fri, 14 Oct 2016 16:20:33 +0100
Subject: [PATCH] Added note about using Source Security Groups (#144)

* Added note about using Source Security Groups

* Updated based on suggestions
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 2fac26f..22aa10d 100644
--- a/README.md
+++ b/README.md
@@ -1147,6 +1147,7 @@ VPCs, Network Security, and Security Groups
 	-	You expose a smaller surface area for attack compared to exposing separate (potentially authenticated) services over the public internet.
 		-	e.g. A bug in the YAML parser used by the Ruby on Rails admin site is much less serious when the admin site is only visible to the private network and accessed through VPN.
 	-	Another common pattern (especially as deployments get larger, security or regulatory requirements get more stringent, or team sizes increase) is to provide a [bastion host](https://www.pandastrike.com/posts/20141113-bastion-hosts) behind a VPN through which all SSH connections need to transit.
+-   🔹Consider using other security groups as sources for security group rules instead of using CIDRs — that way, all hosts in the source security group and only hosts in that security group are allowed access. This is a much more dynamic and secure way of managing security group rules.
 
 ### VPC and Network Security Gotchas and Limitations