diff --git a/services/terraform/self-host/aws_lb.tf b/services/terraform/self-host/aws_lb.tf
--- a/services/terraform/self-host/aws_lb.tf
+++ b/services/terraform/self-host/aws_lb.tf
@@ -78,7 +78,6 @@
   }
 }
 
-
 data "aws_acm_certificate" "keyserver_service" {
   domain   = var.keyserver_domain_name
   statuses = ["ISSUED"]
diff --git a/services/terraform/self-host/landing.tf b/services/terraform/self-host/landing.tf
--- a/services/terraform/self-host/landing.tf
+++ b/services/terraform/self-host/landing.tf
@@ -139,7 +139,7 @@
 resource "aws_lb" "landing_service" {
   load_balancer_type = "application"
   name               = "landing-service-lb"
-  security_groups    = [aws_security_group.lb_sg.id]
+  security_groups    = [aws_security_group.landing_lb_sg.id]
 
   internal = false
   subnets  = local.vpc_subnets
@@ -163,6 +163,26 @@
   }
 }
 
+resource "aws_security_group" "landing_lb_sg" {
+  name        = "landing-lb-sg"
+  description = "Security group for keyserver load balancer"
+  vpc_id      = local.vpc_id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
 data "aws_acm_certificate" "landing_service" {
   domain   = var.landing_domain_name
   statuses = ["ISSUED"]
diff --git a/services/terraform/self-host/webapp.tf b/services/terraform/self-host/webapp.tf
--- a/services/terraform/self-host/webapp.tf
+++ b/services/terraform/self-host/webapp.tf
@@ -139,7 +139,7 @@
 resource "aws_lb" "webapp_service" {
   load_balancer_type = "application"
   name               = "webapp-service-lb"
-  security_groups    = [aws_security_group.lb_sg.id]
+  security_groups    = [aws_security_group.webapp_lb_sg.id]
 
   internal = false
   subnets  = local.vpc_subnets
@@ -163,6 +163,26 @@
   }
 }
 
+resource "aws_security_group" "webapp_lb_sg" {
+  name        = "web-lb-sg"
+  description = "Security group for keyserver load balancer"
+  vpc_id      = local.vpc_id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
 data "aws_acm_certificate" "webapp_service" {
   domain   = var.webapp_domain_name
   statuses = ["ISSUED"]