AWS Security Groups Explained: Complete Beginner's Guide

Security is one of the most important aspects of cloud computing. No matter how powerful your application is, it must be protected from unauthorized access, malicious traffic, and accidental exposure.

In AWS, one of the first lines of defense for your resources is the Security Group.

Whenever you launch an Amazon EC2 instance, AWS requires you to configure a Security Group. This Security Group acts as a virtual firewall, controlling who can connect to your server and what traffic is allowed.

Understanding Security Groups is essential for anyone learning AWS because they are used not only with EC2 but also with services such as Amazon RDS, Elastic Load Balancers, ECS, EKS, and more.

In this guide, you'll learn:

• What Security Groups are
• How they work
• Inbound and outbound rules
• Common configurations
• Best practices
• Real-world examples
• Common mistakes
• Interview questions

What Is a Security Group?

A Security Group is a virtual firewall that controls network traffic to and from AWS resources.

It determines:

• Who can connect to your resource
• Which ports can be accessed
• Which protocols are allowed
• Where traffic can originate from

Security Groups are attached directly to resources such as:

• EC2 Instances
• RDS Databases
• Elastic Load Balancers
• ECS Tasks
• Lambda Functions in VPCs

Without proper Security Group configuration, resources may either be inaccessible or exposed to security risks.

Real-World Analogy

Imagine an office building.

The building has:

• Main entrance
• Security guards
• Visitor access controls

Not everyone can enter every room.

Similarly:

• EC2 Instance = Building
• Security Group = Security Guard

The Security Group decides:

• Who may enter
• Which doors may be used
• What activities are permitted

Why Security Groups Are Important

Suppose you launch a web server.

Without restrictions:

• Anyone could attempt access
• Attackers could scan open ports
• Sensitive services could become exposed

Security Groups reduce these risks by allowing only approved traffic.

Benefits include:

• Improved security
• Reduced attack surface
• Better access control
• Regulatory compliance

How Security Groups Work

Every Security Group contains a set of rules.

These rules determine:

Inbound Traffic

Traffic entering a resource.

Examples:

• Website visitors
• SSH connections
• API requests

Outbound Traffic

Traffic leaving a resource.

Examples:

• Internet access
• Database requests
• API calls

Security Groups evaluate traffic against configured rules.

If traffic matches a rule:

✅ Allowed

If no rule matches:

❌ Denied

Security Groups Are Stateful

One of the most important Security Group characteristics is that they are stateful.

What does that mean?

If inbound traffic is allowed:

• Response traffic is automatically allowed.

Example:

You allow:

SSH Port 22

When your computer connects:

• Request enters EC2
• Response automatically returns

No additional outbound rule is required.

This simplifies security management.

Default Security Group Behavior

When AWS creates a new Security Group:

Inbound Rules

No inbound traffic allowed.

Outbound Rules

All outbound traffic allowed.

This provides a secure starting point.

Understanding Security Group Rules

Each rule contains:

Protocol

Examples:

• TCP
• UDP
• ICMP

Port Number

Examples:

Source or Destination

Specifies who can communicate.

Examples:

192.168.1.10/32

Single IP address.

203.0.113.0/24

Network range.

0.0.0.0/0

Everyone on the internet.

Understanding CIDR Notation

Security Groups frequently use CIDR notation.

Example:

192.168.1.0/24

Meaning:

• Network: 192.168.1.0
• Subnet mask: 255.255.255.0

Allows:

192.168.1.1
to
192.168.1.254

CIDR notation helps define access ranges efficiently.

Common Security Group Rules

SSH Access

Purpose:

Remote Linux administration.

Configuration:

Recommended for administrators.

HTTP Access

Purpose:

Websites.

Configuration:

Source:

0.0.0.0/0

Allows public access.

HTTPS Access

Purpose:

Secure websites.

Configuration:

Source:

0.0.0.0/0

Required for secure web applications.

MySQL Database

Configuration:

Protocol

Recommended:

Allow only application servers.

Avoid public internet access.

Example: Hosting a Website

Suppose you're deploying a website.

Required Security Group rules:

Inbound

SSH should be restricted to your IP.

HTTP and HTTPS can remain public.

Example: Three-Tier Architecture

Consider:

Web Layer

Receives internet traffic.

Allowed:

• HTTP
• HTTPS

Application Layer

Receives traffic only from web servers.

Database Layer

Receives traffic only from application servers.

This architecture improves security significantly.

Security Group Referencing

Security Groups can reference other Security Groups.

Example:

Web Security Group

Receives internet traffic.

Database Security Group

Allows access only from Web Security Group.

Instead of allowing specific IPs, AWS allows trusted resource groups.

Benefits:

• Easier management
• Improved security
• Better scalability

Security Groups vs Network ACLs

A common AWS interview topic.

Security Groups

• Attached to resources
• Stateful
• Allow rules only

Network ACLs

• Attached to subnets
• Stateless
• Allow and deny rules

For beginners:

Security Groups are usually sufficient.

Best Practices

Principle of Least Privilege

Only allow required traffic.

Avoid unnecessary open ports.

Restrict SSH Access

Use:

My IP

instead of:

0.0.0.0/0

whenever possible.

Separate Security Groups

Create distinct groups for:

• Web Servers
• Applications
• Databases

Avoid using one group for everything.

Review Rules Regularly

Remove:

• Unused ports
• Old access rules
• Temporary configurations

Use HTTPS

Always encrypt web traffic.

Common Beginner Mistakes

Opening All Ports

Example:

0-65535

This creates significant security risks.

Public Database Access

Databases should rarely be accessible from the internet.

Allowing SSH From Everywhere

Configuration:

0.0.0.0/0

on port 22 is a common mistake.

Using One Security Group for Everything

Makes troubleshooting and management difficult.

Forgetting Outbound Rules

Applications often require outbound internet access.

Real-World Example

Suppose you're deploying an online store.

Web Server Security Group

Allows:

• Port 80
• Port 443

Application Server Security Group

Allows:

• Traffic from Web Security Group

Database Security Group

Allows:

• Traffic from Application Security Group

Result:

• Layered security
• Reduced exposure
• Better compliance

Troubleshooting Security Groups

If an application isn't accessible:

Check Security Group Rules

Verify required ports are open.

Verify Source IP

Ensure your IP address is permitted.

Confirm Service Is Running

Open port does not guarantee application availability.

Check NACLs

Network ACLs may also affect traffic.

Verify Public IP

Ensure the resource has internet connectivity if required.

Security Group Lifecycle

Typical workflow:

Create

Define rules.

Attach

Associate with resource.

Monitor

Review traffic requirements.

Update

Modify rules as needed.

Delete

Remove unused groups.

Interview Questions

What is a Security Group?

A virtual firewall controlling inbound and outbound traffic for AWS resources.

Are Security Groups stateful?

Yes.

Can Security Groups deny traffic?

No. They only contain allow rules.

What port is used for SSH?

Port 22.

What port is used for HTTPS?

Port 443.

Can one EC2 instance have multiple Security Groups?

Yes.

Can Security Groups reference other Security Groups?

Yes.

Conclusion

AWS Security Groups are one of the most important security features in AWS. They provide a simple yet powerful way to control network traffic and protect cloud resources from unauthorized access.

Understanding Security Groups is essential because almost every AWS architecture depends on them. Whether you're hosting a personal website, running enterprise applications, or building complex cloud environments, proper Security Group configuration is a foundational cloud security skill.

In the next article, we'll explore AWS Key Pairs and learn how secure authentication works when connecting to EC2 instances.