AWS Security Groups Explained: Tips and Best Practices
Explore How Security Groups Function as Virtual Firewalls in AWS
Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. Iām always eager to connect and discuss cybersecurityālet's get in touch!
When Arjun launched his very first EC2 instance, he was thrilled to see it running. But when he tried to connectānothing happened.
āTimeout? But itās up! Whatās going on?ā
Thatās when he discovered the silent gatekeepers of AWS networking: Security Groups.
š§± What is a Security Group?
A Security Group (SG) in AWS acts like a virtual firewall that protects your EC2 instance (and other AWS resources) by controlling:
Inbound traffic ā What can come into the instance
Outbound traffic ā What can go out from the instance
Think of it as a set of traffic rules around your EC2 like:
āOnly let Arjun in on port 22 (SSH). Allow the world to visit my website on port 80 (HTTP). Block everything else.ā
š Stateful by Nature
Hereās a magic trick:
Security Groups are stateful, which means:
If traffic is allowed in, the response is automatically allowed out.
You donāt need to create return rules ā AWS handles that.
š¦ Default Behavior (Know This for the Exam)
| Traffic Direction | Default Behavior |
| Inbound | ā All blocked by default |
| Outbound | ā All allowed by default |
This is why Arjunās EC2 instance wasnāt reachable at first ā he hadnāt opened the door (i.e., port 22 for SSH).
š Example: Launching a Web Server
Arjun wanted to launch a simple web server. Hereās what he needed:
SSH access from his laptop only ā Port 22
HTTP access from anyone ā Port 80
š§¾ His Security Group looked like this:
| Type | Protocol | Port | Source |
| SSH | TCP | 22 | Arjunās IP only |
| HTTP | TCP | 80 | 0.0.0.0/0 (public) |
ā Now:
Only Arjun can SSH into the EC2
Anyone can access his website
š§ Exam Tips: Security Groups (SAA Level)
| Concept | Must Know |
| Stateful | Responses to allowed inbound traffic are auto-allowed outbound |
| Only Allow Rules | SGs can only allow, not deny |
| VPC-Scoped | Security Groups are specific to a VPC and Region |
| Multiple SGs | You can attach multiple SGs to one resource |
| Editable Anytime | SG rules are modifiable and changes apply instantly |
| Default Limits | ~60 rules per SG, 5 SGs per network interface (can be increased) |
š Pro Tip: Is It a Security Group Issue or App Issue?
| Symptom | Cause |
| Timeout error | š« Security Group blocking access |
| Connection refused | š« App is not running or not listening on that port |
Arjun learned: āIf itās a timeout, check SG. If itās connection refused, check your app.ā
šÆ Best Practices Arjun Now Follows
Maintain a dedicated SG for SSH (port 22)
Allow least privilege ā only open ports you need
Use security group names clearly (e.g.,
web-sg,ssh-only-sg)Regularly review SGs and remove unused rules
Never allow full access (
0.0.0.0/0) to sensitive ports like SSH or RDP
Common Ports to Remember:
FTP: 21 (Upload files into a file share)
SFTP: 22 (For Secure File Transfer)
SSH: 22 (for Linux server access)
RDP: 3389 (for Windows server access)
HTTP: 80 (for websites)
HTTPS: 443 (for secure websites)
