AWS Security Groups (AWS SAA Focused)

When you launch an EC2 instance or other AWS resources, security is a top priority. Security Groups in AWS act like a virtual firewall for your resources — controlling who can access them and how.

Let's break this down in the simplest way possible.

What is a Security Group?

A Security Group (SG) is like a shield around your instance.

• It controls inbound traffic (traffic coming in) to your instance.

• It controls outbound traffic (traffic going out) from your instance.

Think of it as rules that say:

• "Allow traffic from these places on these ports."

• "Block everything else by default."

Important:
Security Groups are stateful — if you allow inbound traffic, the response outbound is automatically allowed.

Key Points About Security Groups:

• Default Deny: By default, all inbound traffic is blocked and all outbound traffic is allowed.

• Rules: You can add rules to allow specific traffic, such as:

  • Allow SSH (port 22) from your IP address.

  • Allow HTTP (port 80) traffic from anywhere (0.0.0.0/0).

• Attached to Resources: Security Groups are attached to EC2 instances, RDS databases, Load Balancers, and more.

• Multiple SGs: You can attach multiple Security Groups to a single instance.

• Modify Anytime: You can edit rules at any time, and the changes are applied immediately.

• All inbound traffic is blocked by default.

• All outbound traffic is authorised by default.

• It is good to maintain one separate security group for SSH access.

• If your application is not accessible (time out), then it’s a security group issue.

• If your application gives a “connection refused” error, then it’s an application error.

• Security Group is locked down to a region and VPC combination.

Example Scenario:

You're launching a web server on EC2.
You want:

• SSH access from your laptop only (port 22)

• HTTP access from everyone (port 80)

Your Security Group rules would look like:

✅ Now, only you can SSH into the server, and everyone can visit the website.

Security Group Tips for AWS SAA Exam:

• Stateful: Understand that SGs are stateful — return traffic is automatically allowed.

• Only Allow: Security Groups can only allow traffic. They cannot deny traffic.

• Attached at Launch: Attach Security Groups when launching an instance or add them later.

• Multiple Rules: One SG can have multiple rules. One instance can have multiple SGs.

• VPC Scoped: Security Groups are specific to a VPC (Virtual Private Cloud).

• Limits: Default limits are like 60 rules per SG and 5 SGs per network interface (limits can vary).

Common Ports to Remember:

• FTP: 21 (Upload files into a file share)

• SFTP: 22 (For Secure File Transfer)

• SSH: 22 (for Linux server access)

• RDP: 3389 (for Windows server access)

• HTTP: 80 (for websites)

• HTTPS: 443 (for secure websites)

More AWS SAA Articles

• EC2 Instance Types

• AWS IAM Best Practice

• AWS IAM Security Tools

• IAM Roles for Services

• AWS IAM User, Root User and Groups

• AWS IAM Policies and their structure

Follow me for more such content

• My YouTube Channel

• My Site

• My Blogs

• LinkedIn

• Instagram

• Twitter

• Stackoverflow

• Github

• Dev