AWS Security Group


AWS Security Group is a Group for Access Control Service within Amazon Web Services
  • AWS Security Group can contain many users, and a user can belong to multiple groups.
  • AWS Security Group can't be nested; they can contain only users, not other groups.
  • AWS Security Group has no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it.
  • There's a limit to the number of groups you can have, and a limit to how many groups a user can be in.

The following are the basic characteristics of security groups for your Amazon Virtual Private Network:

  • You have limits on the number of
    • AWS Security Groups that you can create per VPC
    • rules that you can add to each AWS Security Group
    • AWS Security Group you can associate with a network interface.
  • You can specify allow rules, but not deny rules.
  • You can specify separate rules for inbound and outbound network traffic.
  • When you create a AWS Security Group, it has no inbound rules. Therefore, no inbound network traffic originating from another host to your instance is allowed until you add inbound rules to the AWS Security Group.
  • By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
  • AWS Security Groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound AWS Security Group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
    • Note Some types of network traffic are tracked differently to others. For more information, see Connection Tracking in the Amazon EC2 User Guide for Linux Instances.
  • Instances associated with a security group can't talk to each other unless you add rules allowing it (exception: the default security group has these rules by default).
  • AWS Security Groups are associated with network interfaces. After you launch an instance, you can change the security groups associated with the instance, which changes the security groups associated with the primary network interface (eth0). You can also change the security groups associated with any other network interface. For more information about network interfaces, see Elastic Network Interfaces.
  • When you create a AWS Security Group, you must provide it with a name and a description. The following rules apply:
    • Names and descriptions can be up to 255 characters in length.
    • Names and descriptions are limited to the following characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@+=&;{}!$*.
    • A AWS Security Group name cannot start with sg-.
    • A AWS Security Group name must be unique within the VPC.

AWS Security Group can not be assigned an AWS role.


Amazon Web Services

More Information#

There might be more information for this subject on one of the following: