Security Groups are virtual firewalls at the instance level
SGs only ALLOW traffic so remember this as acronym SAG (security allow groups)
One or more security groups can be assigned to an EC2 instance
When more than one SG is assigned to an EC2, the all the rules (ALLOW) are aggregated
SGs can’t be assigned to subnets or VPCs
Security Groups belong to a VPC. They can’t be shared across VPCs
Traffic
SG rules (IOACPS)
rule is either Inbound or Outbound
rule can specify ALLOW only
inbound rule has source CIDR/SG outbound rule has destination CIDR/SG/PrefixListID
Rules will only ALLOW traffic. No DENY rules.
Provide type, protocol/port (example RDP 3389, MySQL/Aurora 3306) , destination for allowed traffic for inbound and outbound
In default VPC, the default SG has two rules
All inbound traffic is allowed from within the same SG (rule 1)
No inbound traffic is allowed from outside (no rule)
outbound traffic to all destinations (0.0.0.0/0) is ALLOWED (rule 2: All Traffic, ports, protocols ->0.0.0.0/0)
When you create a new SG, one rule is automatically created
No inbound traffic is allowed from outside (no rule)
outbound traffic to all destinations (0.0.0.0/0) is ALLOWED
SGs are stateful (unlike Network ACLs), meaning if a protocol (say HTTP) is allowed inbound, then when a request comes in, the corresponding reply packets are allowed outbound irrespective of outbound rules, thus maintaining state.
Any changes to SGs will be effective immediately. No need to stop/start EC2