What is a Security Group?

A Security Group acts as a virtual firewall for your Amazon EC2 instances to control inbound and outbound traffic. It defines a set of rules that determine which traffic is allowed to reach or leave the associated resources, such as EC2 instances, network interfaces, and load balancers within a VPC (Virtual Private Cloud).

Key Concepts:

1. Stateful:
   • Security groups are stateful, meaning if you allow an inbound request from an IP address, the response traffic is automatically allowed, regardless of outbound rules.
2. Rule Types:
   • Inbound Rules: Control the incoming traffic to your instances. You can specify allowed protocols (TCP, UDP, ICMP), ports, and source IP ranges or security groups.
   • Outbound Rules: Control the outgoing traffic from your instances. Similarly, you can specify allowed protocols, ports, and destination IP ranges.
3. Default Security Group:
   • When you create a VPC, AWS automatically creates a default security group. This default group allows all outbound traffic but restricts inbound traffic from all sources unless specified otherwise.
4. Multiple Security Groups:
   • You can associate multiple security groups with an instance, and the rules from all associated groups are aggregated to determine the allowed traffic.

Important Points:

1. No Implicit Deny:
   • If you don’t explicitly allow a type of traffic (inbound or outbound), it is implicitly denied. Security groups do not have "deny" rules.
2. Rule Limits:
   • Each security group can have a maximum of 60 inbound and 60 outbound rules by default, but this limit can be increased upon request.
3. Source/Destination Options:
   • You can specify rules based on IP addresses, CIDR blocks, or other security groups, allowing for flexible access controls.
4. Logging:
   • AWS CloudTrail can be used to log changes to security group configurations for auditing purposes.

Best Practices:

1. Least Privilege Principle:
   • Follow the principle of least privilege by allowing only the traffic necessary for your application to function.
2. Use Descriptive Names:
   • Name security groups descriptively based on their purpose (e.g., "WebServerSG", "DatabaseSG") to improve manageability.
3. Regularly Review Rules:
   • Periodically review security group rules to ensure they meet current security requirements and remove any unnecessary rules.
4. Segment Traffic:
   • Create separate security groups for different layers of your application (e.g., web servers, application servers, database servers) to better control access.