Security Groups

Learn how to secure EC2 instances using security groups' inbound and outbound rules.

We'll cover the following

Security is an important aspect of the cloud; we must ensure that all our resources are secure and protected. AWS offers different services to protect different resources in the Cloud. One of the basic components of security is security groups. In this lesson, we will review security groups and learn about rules and best practices. Security groups are like firewalls to the associated resources; they control the inbound and outbound traffic for an associated resource.

Security groups are used to secure EC2 instances from unwanted requests. We need to specify a security group to secure our EC2 instance whenever we launch an instance. If no security group is selected, EC2 uses the default security group of the VPC. The default security group allows all outbound traffic and only allows inbound requests from resources within the same security group. 

Press + to interact
Architecture diagram
Architecture diagram

Let’s look deeper at security group rules and how to use them to secure our EC2 instances. 

Security group rules

Security group rules control inbound and outbound traffic to the resource. These rules allow traffic filtering based on protocols, port numbers and IP addresses. Security group rules are always permissive, which means no port or protocol can be explicitly denied. The following rules control the incoming and outgoing traffic:

Inbound rules

  • Inbound rules are used to define incoming traffic to the associated resources.

  • By default, all inbound traffic is denied.

  • When multiple inbound rules apply to a traffic type, the rule with the most matching IP range, port, and protocol takes precedence.

  • For example, common port numbers SSH (22) for secure remote access, HTTP (80) for web browsing, and FTP (20, 21) for file transfer allow traffic from anywhere IPv4 address (0.0.0.0/0).

Outbound rules

  • Outbound rules define the outgoing traffic from the associated resource to the internet.

  • All outgoing traffic from the associated resource is allowed by default.

  • When different outbound rules apply to a specific traffic type, the rule with the most matching IP range, port, and protocol takes precedence.

When launching an EC2 instance, we can attach an existing security group or create a new one. We can also modify the existing security group and add new rules or remove some rules. We can also attach multiple security groups to an EC2 instance, where all the rules for each group are logically aggregated to create one set of rules. It helps to evaluate the traffic efficiently and properly.

Press + to interact
Security group rules
Security group rules

We can also allow inbound traffic to a resource from certain security groups; this helps us secure the resource in a more efficient manner.

It is important to note that security groups are stateful—if a request is initiated through an instance, the response traffic of that request is allowed regardless of the inbound rules.

Security group best practices

  • Least privilege principle: Adhere to the principle of least privilege, only allowing necessary traffic to and from instances.

  • No deny rule: There is no explicit “deny” rule. If a rule is not explicitly allowed, it is denied by default.

  • Separation of duties: Use different Security Groups for different purposes (e.g., web servers, database servers) to enhance security and management.

Get hands-on with 1300+ tech skills courses.