• Security Groups (SG) are simple Virtual Firewalls
• SGs can ONLY be configured to ALLOW traffic, they cannot be used to Deny.
  • To Deny, you must use Network Access Control Lists (STATELESS, See Below)
• By Default:
  • All Inbound traffic is DENIED.
    • Rules must be created to allow desired traffic.
  • All Outbound traffic is ALLOWED.
• All Rules are STATEFUL
  • If a port is opened for Incoming Traffic, it is automatically opened for Outgoing as well.
• IP Addresses are entered using CIDR notation x.x.x.x/x
• Multiple SGs can be applied to an EC2 Instance
  • Since these are only used to allow traffic, all allowed traffic is added up and allowed in.
• Multiple EC2 Instances can share the same SGs.
• Any changes to an SG are implemented IMMEDIATELY!
• The DEFAULT SG that is automatically created when you create your first instance allows all traffic from all other EC2 Instances that also use the DEFAULT SG, regardless of their region.
• To add an additional SG to an Instance
  • Actions > Networking > Change Security Groups
• [Review and Launch]

Experience

• Once a service is created, you CANNOT change (add or remove) its assigned Security Groups, however, you can edit them.