👈

🔐 Security Groups in AWS – Complete Deep Explanation

🔐 Security Groups in AWS – Complete Deep Explanation

1️⃣ What is a Security Group?

A Security Group (SG) is a virtual firewall in AWS that controls inbound and outbound traffic at the resource (instance) level, mainly for:

EC2
Load Balancers
RDS
Lambda (VPC-based)

Simple definition:

A Security Group controls which traffic is allowed to reach or leave an AWS resource.

2️⃣ Why Security Groups Exist (Core Purpose)

AWS follows the principle of shared responsibility:

AWS secures the cloud
You secure what’s inside the cloud

Security Groups exist to:

Protect individual resources
Control access using least privilege
Reduce attack surface

Without Security Groups: ❌ Every EC2 would be open to the internet ❌ No control over who can connect

3️⃣ Where Security Groups Sit in AWS Networking

Traffic flow order (important):

Internet
 ↓
Internet Gateway / NAT Gateway
 ↓
Route Table
 ↓
NACL (Subnet level)
 ↓
Security Group (Instance level)
 ↓
EC2 / Resource

👉 Security Group is the last checkpoint before the resource

4️⃣ Key Characteristics of Security Groups (VERY IMPORTANT)

Feature	Security Group
Scope	Resource / Instance level
Stateful	✅ Yes
Rules	Allow only
Deny rules	❌ Not supported
Rule order	Not evaluated by order
Applies to	ENI (network interface)
Default behavior	Deny all inbound

5️⃣ Stateful Nature of Security Groups (MOST IMPORTANT CONCEPT)

What does “stateful” mean?

If traffic is allowed in one direction, the response traffic is automatically allowed.

You do NOT need to define return rules.

Example (Very Important)

Inbound rule:

Allow TCP 80 from 0.0.0.0/0

What happens?

Client sends request to port 80
Server responds back
Response traffic is automatically allowed

✔ No outbound rule required for return traffic

6️⃣ Security Group Rule Structure

Each rule has:

Field	Meaning
Type	HTTP, SSH, Custom TCP
Protocol	TCP / UDP / ICMP
Port Range	22, 80, 443, etc.
Source / Destination	IP or Security Group
Description	Optional

7️⃣ Inbound Rules vs Outbound Rules

🔹 Inbound Rules

Control:

Who can connect to the resource

Default:

❌ Deny all inbound traffic

Example:

Allow TCP 22 from My IP
Allow TCP 80 from 0.0.0.0/0

🔹 Outbound Rules

Control:

Where the resource can send traffic

Default:

✅ Allow all outbound traffic

You can restrict outbound if needed.

8️⃣ Default Security Group (Very Important)

Every VPC has a default security group.

Default SG rules:

Inbound: Allow traffic from same security group
Outbound: Allow all

Use case:

Internal communication between instances

9️⃣ Security Groups Are Attached to ENIs

Important concept:

Security Groups are attached to network interfaces (ENIs), not directly to instances.

This means:

One instance can have multiple security groups
One security group can be used by multiple instances

🔟 Multiple Security Groups on One Instance

If an instance has:

SG-A allows HTTP
SG-B allows SSH

Result: ✔ Both HTTP and SSH allowed

Rules are combined (logical OR).

1️⃣1️⃣ Security Group Referencing (Very Powerful Feature)

Instead of IPs, you can allow:

Another security group

Example:

Allow MySQL (3306) from SG-App

This means:

Any instance in SG-App can access DB
No IP management required

✔ Dynamic ✔ Scalable ✔ Best practice

1️⃣2️⃣ Real Traffic Flow Example (Public Web Server)

Scenario:

EC2 in public subnet
Website on port 80

Required Security Group:

Inbound:
Allow TCP 80 from 0.0.0.0/0
Allow TCP 22 from My IP

Outbound:
Allow all (default)

NACL + Route table must also allow traffic.

1️⃣3️⃣ Security Groups vs NACLs (Quick Recap)

Feature	Security Group	NACL
Level	Instance	Subnet
Stateful	✅ Yes	❌ No
Allow	✅ Yes	✅ Yes
Deny	❌ No	✅ Yes
Rule order	Not ordered	Ordered
Default inbound	Deny all	Allow all

1️⃣4️⃣ Why Security Groups Do NOT Support Deny Rules

AWS design decision:

Simpler logic
Easier troubleshooting
Least privilege model

Blocking is handled by:

NACLs
Route tables
No rule = deny

1️⃣5️⃣ Security Groups and Ports

Security Groups control:

Which ports
Which protocols
Which sources

Example:

Allow TCP 443 from 0.0.0.0/0

Means:

HTTPS traffic allowed
Everything else blocked

1️⃣6️⃣ Common Security Group Use Cases

🔹 Web Server

Inbound: 80, 443
Outbound: All

🔹 Bastion Host

Inbound: 22 from office IP
Outbound: All

🔹 Database Server

Inbound: 3306 from App SG
Outbound: Restricted

1️⃣7️⃣ Security Groups in Other AWS Services

Security Groups are used by:

EC2
ALB / NLB
RDS
ElastiCache
Lambda (inside VPC)

Same concepts apply everywhere.

1️⃣8️⃣ Logging & Monitoring

Security Groups:

Do NOT log traffic

For visibility:

Use VPC Flow Logs
Use CloudTrail (for rule changes)

1️⃣9️⃣ Common AWS Exam Traps

❓ Instance not reachable

➡ Check inbound SG rules

❓ Outbound blocked unexpectedly

➡ Outbound rules modified

❓ Want to block IP explicitly

➡ Use NACL (SG cannot deny)

❓ Multiple SGs attached

➡ Rules are combined, not overridden

2️⃣0️⃣ Security Best Practices (IMPORTANT)

Follow least privilege
Use SG-to-SG referencing
Avoid 0.0.0.0/0 for SSH
Separate SGs by role (web, app, db)
Review rules regularly

2️⃣1️⃣ Real-World Analogy

Security Group = Door Lock of a Room

Only listed people can enter
If not listed → no entry
No “explicit ban list”

2️⃣2️⃣ One-Line Exam Definitions

Security Group:

A stateful virtual firewall that controls inbound and outbound traffic for AWS resources.

2️⃣3️⃣ Mental Model to Remember Forever

NACL = Subnet gate
Security Group = Instance door

2️⃣4️⃣ Final Summary (Must Remember)

SG works at instance level
Stateful → return traffic auto allowed
Allow rules only
Default inbound deny
Supports SG referencing
Core AWS security component