Deep Dive into AWS Security Group
AWS Security Group acts as a Firewall for your multiple AWS resources. Please be aware that security groups are applied at the Network Interface, and you can assign one or more security groups to a network interface. For example, For your EC2 instance, you can control inbound and outbound traffic with a Security group.
Security Group Rules
Security Group rules allow you to control your instances’ inbound and outbound traffic. There are two types of rules:
Inbound Rules: Allow you to control ingress traffic to your resources. Information that you need to provide for the inbound rule:
| Type | Protocol | Port Range | Source | Description |
| Type of traffic | Protocol will be automatically selected as per your type. Unless custom protocol is selected | Network Port | IP/CIDR/Security Group |
Please find an example inbound rule where I have provided SSH access to the internal team:
| Type | Protocol | Port Range | Source | Description |
| SSH | TCP | 22 | 192.168.0.0/24 | internal access |
Outbound Rules: Allow you to control the egress traffic from the instance. Information that you need to provide for the outbound rule:
| Type | Protocol | Port Range | Destination | Description |
| Type of traffic | Protocol will be automatically selected as per your type. Unless custom protocol is selected | Network Port | IP/CIDR/Security Group |
Please find an example outbound rule where I have allowed all outbound traffic:
| Type | Protocol | Port Range | Destination | Description |
| All Traffic | all | all | 0.0.0.0/0 | Allow all outbound traffic |
Please be aware that the security group is stateful, which means return traffic is automatically allowed regardless of any rule. You don’t need to configure the outbound rule for return traffic. For example, you configured SSH access to the resources by configuring the inbound rules.
How Security Groups are different from NACL
| Security Group | NACL |
|---|---|
| Applied at the instance level(ENI) | Applied at Subnet Level |
| You can only specify allow rules but if you don’t specify any rules then nothing is allowed. | You can specify both allow and deny rules. |
| Evaluate all rules before allowing traffic. | AWS evaluates rules with the Numeric rule number. Starting with the lowest number. |
| Resources can use multiple security groups. All security group rules will be evaluated. | A subnet can only have one NACL associated with it. However, the same NACL can be used with multiple subnets. |
| Stateful: Return traffic is automatically allowed regardless of any rule. | Stateless: Return traffic must be explicitly allowed by rules. |
Few important points on Security Group before we move forward
- Security Group is a VPC level resource. When you create a security group, you will have to specify the VPC name in which it will exist. Security Group can be used in any subnet inside the VPC.
- You can create up to 2500 security groups inside a region.
- You can apply the same Security group to multiple EC2 instances. For example, you want numerous web server machines to use the same security group.
- Security Group is required to deploy an EC2 instance. If you don’t have any Security group, AWS allows you to create a new Security Group while creating an EC2 instance.
- You can configure 60 inbounds and 60 outbound rules for each security group.
Default and Custom Security Group
Default Security Group: Whenever you create a VPC inside your account, there will be one default security group created and attached to that VPC. Default security Group comes with one inbound and one outbound Rule. However, if you want you can edit the inbound and outbound rules.
If you try to create an EC2 resource through UI inside a VPC, AWS will allow you to choose this default VPC or you can create a new security group while creating an EC2 instance.
Default security group inbound rule allows all traffic from instances inside the same security group.
| Type | Protocol | Port Range | Source |
| All Traffic | all | all | Default security group ID |
Default security group outbound rule allows all outbound traffic from the instance.
| Type | Protocol | Port Range | Destination |
| All Traffic | all | all | 0.0.0.0/0 |
Custom Security Group: If you don’t want your instances to use the default security group or you have a requirement to use multiple security groups then you can create your security groups and specify them when you launch your resources.
There are two default rules for new security group:
- Allow all outbound traffic
- Block all inbound traffic
