Odd question here. I'm doing some work to remove unused security groups in many AWS accounts. There is a Security Hub rule EC2.22 Unused EC2 security groups should be removed that identifies "unused" security groups. For the most part this tells me what I need, but there are some security groups that are identified by this rule that I don't want to delete. These are security groups that are not currently in use, but which are part of a configuration definition of some sort that could be used to launch resources in the future. So while not technically used at present, they might become used when the underlying configuration is used to launch resources.
For example, a security group may show as "unused" by Security Group rule EC2.22 even though it is referenced in any of the following situations:
In those latent cases, I don't want to remove the security group--I want to treat it as "used" instead of "unused." I am characterizing these situations as "latent security group configurations."
What other latent configurations, if any, might reference a security group?
Note, I am not asking about any of the real-time usage situations that EC2.22 checks--such as a security group used by an EC2 instance, by a running ECS service, by a lambda, by another security group, by an RDS DB, and so on which will block a security group from being deleted.
RETIRED FROM SPECIFIC STANDARDS – Security Hub removed this control on September 20, 2023 from the AWS Foundational Security Best Practices standard and the NIST SP 800-53 Rev. 5. This control is still part of Service-Managed Standard: AWS Control Tower. This control produces a passed finding if security groups are attached to EC2 instances or to an elastic network interface. However, for certain use cases, unattached security groups don't pose a security risk. You can use other EC2 controls—such as EC2.2, EC2.13, EC2.14, EC2.18, and EC2.19—to monitor your security groups.
I suspect AWS retired this precisely due to the same situation I asked about. Apparently they also discovered the same sorts of cases I was investigating. I assume the ones I listed in the question are the main ones to consider.