A security group is a stateful firewall that controls what traffic can enter and leave an AWS resource, such as an EC2 instance. While Network Access Control Lists (NACLs) operate at the subnet level, security groups are associated with AWS resources, such as EC2 instances, and provide security at the instance level.

A security group filters resource access based on the rules, which can be configured for both inbound and outbound traffic. Within a security group, we can only specify allow rules; there can be no explicit deny rules to block traffic. We can deny access implicitly by not specifying an allow rule.

Default security group

When we create an Amazon VPC, it comes with a default security group that has an inbound rule referencing the same security group using its ID, allowing inbound traffic from resources using the same security group and an outbound rule that allows all traffic to the public internet.

We can add or remove rules from the default security group but can’t delete it.

The default security group inbound rules are shown in the following table:

Get hands-on with 1200+ tech skills courses.