Understand and Configure Security Groups
Explore the fundamentals of AWS security groups and their role as stateful firewalls controlling inbound and outbound traffic for resources like EC2 instances. Learn to create custom security groups, configure rules for traffic control, and manage security group lifecycle. This lesson helps you understand how to enhance your AWS VPC security by effectively managing access and communication.
Introduction
A security group is a stateful firewall that controls what traffic can enter and leave an AWS resource, such as an EC2 instance. While Network Access Control Lists (NACLs) operate at the subnet level, security groups are associated with AWS resources, such as EC2 instances, and provide security at the instance level.
A security group filters resource access based on the rules, which can be configured for both inbound and outbound traffic. Within a security group, we can only specify allow rules; there can be no explicit deny rules to block traffic. We can deny access implicitly by not specifying an allow rule.
Default security group
When we create an Amazon VPC, it comes with a default security group that has an inbound rule referencing the same security group using its ID, allowing inbound traffic from resources using the same security group and an outbound rule that allows all traffic to the public internet.
We can add or remove rules from the default security group but can’t delete it.
The default security group inbound rules are shown in the following table:
Default SG Inbound Rules
Protocol | Port range | Source |
All | All | default-sg-id |
The default security group outbound rules are shown in the following table. The rule corresponding to the IPv6 destination CIDR ::/0 is only added if the VPC has an IPv6 CIDR block.
Default SG Outbound Rules
Protocol | Port range | Destination |
All | All |
|
All | All |
|
Security group rules
The following are the main elements of a security ...