1. Proposed title of this feature request? Minimal Default Security Group 
2. What is the nature and description of the request? Improve network security for new clusters to achieve operational excellence on ROSA HCP. 

• Provide separate Security Groups for ENIs used by PrivateLink and Worker Nodes
• Only include ingress rules necessary for the ENI's Type 
• Do not use the same SG on all the worker nodes (i.e., assume customers to dedicate nodes for Ingress/LB)

3. Why does the customer need this? (List the business requirements here)

In public cloud, overly permissive network configurations are a non-starter. Refer to the cases linked to the XCMSTRAT linked. 

AWS has well-architected framework which describes network configuration best practices. Our customers - cloud practioners - are responsible for architecting their application platform. Default cluster installation having unwanted ports or sources do not pass their qualifying criteria. 

Finally, administrators or SRE can not change these to the best practices because the Security Groups are managed by Operators so they either reconcile or mark clusters degraded. 

4. List any affected packages or components.