Security Groups are virtual firewalls at the instance level
1 or more security groups can be assigned to an EC2 instance
When more than one SG is assigned to an EC2, the all the rules (ALLOW) are aggregated
SGs can’t be assigned to subnets or VPCs
Security Groups belong to a VPC. They can’t be shared across VPCs
Rules will only ALLOW traffic. No DENY rules.
Provide type, protocol/port (example RDP 3389, MySQL/Aurora 3306) , destination for allowed traffic for inbound and outbound
When you create a new SG, by default two rules are created
All inbound traffic is allowed from within the same SG (rule 1)
No inbound traffic is allowed from outside (no rule)
outbound traffic to all destinations (0.0.0.0/0) is ALLOWED (rule 2)
SGs are stateful (unlike Network ACLs), meaning if a protocol (say HTTP) is allowed inbound, then when a request comes in, the corresponding reply packets are allowed outbound irrespective of outbound rules, thus maintaining state.
Any changes to SGs will be effective immediately. No need to stop/start EC2