Labs ICT
Pro Login

Security Groups

What are Security Groups?

Security groups are virtual firewalls that control inbound and outbound traffic for your EC2 instances and other resources. Think of them as bouncers at a club — they check every person (packet) and only let in those on the guest list.

Every instance must have at least one security group. You can assign multiple security groups to an instance, and the rules are additive. If one security group allows SSH and another allows HTTP, the instance accepts both.

Inbound vs Outbound Rules

Inbound rules control what traffic can reach your instance from outside. By default, all inbound traffic is denied. You explicitly open the ports you need.

Outbound rules control what traffic your instance can send out. By default, all outbound traffic is allowed. You rarely need to restrict outbound traffic unless you have strict compliance requirements.

Common Security Group Rules

For a web server, you'd typically open three ports:

aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp --port 22 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp --port 80 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp --port 443 --cidr 0.0.0.0/0

Port 22 for SSH, 80 for HTTP, and 443 for HTTPS. The CIDR 0.0.0.0/0 means "from anywhere." For SSH, consider restricting to your IP address for better security.

Security Group Best Practices

Follow the principle of least privilege — open only the ports you need. If your app only needs HTTP, don't open SSH. If SSH is needed, restrict it to your IP range instead of the entire internet.

Use separate security groups for different tiers. Your web server security group should be different from your database security group. This way, if one is compromised, the damage is contained.

Security Groups vs Network ACLs

Security groups operate at the instance level, while Network ACLs (NACLs) operate at the subnet level. Security groups are stateful — if you allow inbound traffic, the response is automatically allowed outbound. NACLs are stateless — you need explicit rules for both directions.

For most use cases, security groups are sufficient and easier to manage. Use NACLs when you need an additional layer of defense or subnet-level restrictions.