Periodic review of ssl_access https logs reveals more than a few pesky vulnerability probers out there. I wish to specifically block these inbound IPs in a programmatic way, e.g. aws ec2 authorize-security-group-ingress or similar. There is plenty of material describing how to restrict access to a few known IPs but I cannot seem to find anything that describes permitting all except a handful (perhaps a dozen or so).
You can't do that with security groups. Your options are: