AWS Security Groups Explained: Tips and Best Practices


When Arjun launched his very first EC2 instance, he was thrilled to see it running. But when he tried to connect—nothing happened.
“Timeout? But it’s up! What’s going on?”
That’s when he discovered the silent gatekeepers of AWS networking: Security Groups.
🧱 What is a Security Group?
A Security Group (SG) in AWS acts like a virtual firewall that protects your EC2 instance (and other AWS resources) by controlling:
Inbound traffic — What can come into the instance
Outbound traffic — What can go out from the instance
Think of it as a set of traffic rules around your EC2 like:
“Only let Arjun in on port 22 (SSH). Allow the world to visit my website on port 80 (HTTP). Block everything else.”
🔁 Stateful by Nature
Here’s a magic trick:
Security Groups are stateful, which means:
If traffic is allowed in, the response is automatically allowed out.
You don’t need to create return rules — AWS handles that.
🚦 Default Behavior (Know This for the Exam)
Traffic Direction | Default Behavior |
Inbound | ❌ All blocked by default |
Outbound | ✅ All allowed by default |
This is why Arjun’s EC2 instance wasn’t reachable at first — he hadn’t opened the door (i.e., port 22 for SSH).
🔐 Example: Launching a Web Server
Arjun wanted to launch a simple web server. Here’s what he needed:
SSH access from his laptop only → Port 22
HTTP access from anyone → Port 80
🧾 His Security Group looked like this:
Type | Protocol | Port | Source |
SSH | TCP | 22 | Arjun’s IP only |
HTTP | TCP | 80 | 0.0.0.0/0 (public) |
✅ Now:
Only Arjun can SSH into the EC2
Anyone can access his website
🧠 Exam Tips: Security Groups (SAA Level)
Concept | Must Know |
Stateful | Responses to allowed inbound traffic are auto-allowed outbound |
Only Allow Rules | SGs can only allow, not deny |
VPC-Scoped | Security Groups are specific to a VPC and Region |
Multiple SGs | You can attach multiple SGs to one resource |
Editable Anytime | SG rules are modifiable and changes apply instantly |
Default Limits | ~60 rules per SG, 5 SGs per network interface (can be increased) |
🔐 Pro Tip: Is It a Security Group Issue or App Issue?
Symptom | Cause |
Timeout error | 🚫 Security Group blocking access |
Connection refused | 🚫 App is not running or not listening on that port |
Arjun learned: “If it’s a timeout, check SG. If it’s connection refused, check your app.”
🎯 Best Practices Arjun Now Follows
Maintain a dedicated SG for SSH (port 22)
Allow least privilege — only open ports you need
Use security group names clearly (e.g.,
web-sg
,ssh-only-sg
)Regularly review SGs and remove unused rules
Never allow full access (
0.0.0.0/0
) to sensitive ports like SSH or RDP
Common Ports to Remember:
FTP: 21 (Upload files into a file share)
SFTP: 22 (For Secure File Transfer)
SSH: 22 (for Linux server access)
RDP: 3389 (for Windows server access)
HTTP: 80 (for websites)
HTTPS: 443 (for secure websites)
More AWS SAA Articles
Follow me for more such content
Subscribe to my newsletter
Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Jay Tillu
Jay Tillu
Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!