AWS Security Groups Explained: Tips and Best Practices

Jay TilluJay Tillu
4 min read

When Arjun launched his very first EC2 instance, he was thrilled to see it running. But when he tried to connect—nothing happened.

“Timeout? But it’s up! What’s going on?”

That’s when he discovered the silent gatekeepers of AWS networking: Security Groups.


🧱 What is a Security Group?

A Security Group (SG) in AWS acts like a virtual firewall that protects your EC2 instance (and other AWS resources) by controlling:

  • Inbound traffic — What can come into the instance

  • Outbound traffic — What can go out from the instance

Think of it as a set of traffic rules around your EC2 like:

“Only let Arjun in on port 22 (SSH). Allow the world to visit my website on port 80 (HTTP). Block everything else.”


🔁 Stateful by Nature

Here’s a magic trick:
Security Groups are stateful, which means:

If traffic is allowed in, the response is automatically allowed out.

You don’t need to create return rules — AWS handles that.


🚦 Default Behavior (Know This for the Exam)

Traffic DirectionDefault Behavior
Inbound❌ All blocked by default
Outbound✅ All allowed by default

This is why Arjun’s EC2 instance wasn’t reachable at first — he hadn’t opened the door (i.e., port 22 for SSH).


🔐 Example: Launching a Web Server

Arjun wanted to launch a simple web server. Here’s what he needed:

  • SSH access from his laptop only → Port 22

  • HTTP access from anyone → Port 80

🧾 His Security Group looked like this:

TypeProtocolPortSource
SSHTCP22Arjun’s IP only
HTTPTCP800.0.0.0/0 (public)

✅ Now:

  • Only Arjun can SSH into the EC2

  • Anyone can access his website


🧠 Exam Tips: Security Groups (SAA Level)

ConceptMust Know
StatefulResponses to allowed inbound traffic are auto-allowed outbound
Only Allow RulesSGs can only allow, not deny
VPC-ScopedSecurity Groups are specific to a VPC and Region
Multiple SGsYou can attach multiple SGs to one resource
Editable AnytimeSG rules are modifiable and changes apply instantly
Default Limits~60 rules per SG, 5 SGs per network interface (can be increased)

🔐 Pro Tip: Is It a Security Group Issue or App Issue?

SymptomCause
Timeout error🚫 Security Group blocking access
Connection refused🚫 App is not running or not listening on that port

Arjun learned: “If it’s a timeout, check SG. If it’s connection refused, check your app.”


🎯 Best Practices Arjun Now Follows

  • Maintain a dedicated SG for SSH (port 22)

  • Allow least privilege — only open ports you need

  • Use security group names clearly (e.g., web-sg, ssh-only-sg)

  • Regularly review SGs and remove unused rules

  • Never allow full access (0.0.0.0/0) to sensitive ports like SSH or RDP


Common Ports to Remember:

  • FTP: 21 (Upload files into a file share)

  • SFTP: 22 (For Secure File Transfer)

  • SSH: 22 (for Linux server access)

  • RDP: 3389 (for Windows server access)

  • HTTP: 80 (for websites)

  • HTTPS: 443 (for secure websites)

💡
Note: SFTP is actually built on top of SSH, so when you use SFTP, it establishes a secure SSH connection first, and then transfers the files through that connection. Because both are tied to SSH, if SSH (port 22) is blocked, SFTP will not work either unless it's reconfigured to use a different port (which is rare).

More AWS SAA Articles

Follow me for more such content

0
Subscribe to my newsletter

Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Jay Tillu
Jay Tillu

Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!