<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is a [Group] for [Access Control Service] within [Amazon Web Services]

* [{$pagename}] can contain many users, and a user can belong to multiple groups.
* [{$pagename}] can't be nested; they can contain only users, not other groups.
* [{$pagename}] has no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it.
* There's a limit to the number of groups you can have, and a limit to how many groups a user can be in. 


The following are the basic characteristics of security [groups] for your [Amazon] [Virtual Private Network]:
* You have limits on the number of 
** [{$pagename}]s that you can create per [VPC]
** rules that you can add to each [{$pagename}]
** [{$pagename}] you can associate with a [network] interface. 
* You can specify allow rules, but not deny rules.
* You can specify separate rules for [inbound] and [outbound] [network traffic].
* When you create a [{$pagename}], it has no [inbound] rules. Therefore, no [inbound] [network traffic] originating from another host to your instance is allowed until you add inbound rules to the [{$pagename}].
* By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add [outbound] rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
* [{$pagename}]s are [stateful] — if you send a [request] from your instance, the [response] traffic for that [request] is allowed to flow in regardless of inbound [{$pagename}] rules. [Responses] to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
** Note Some types of [network traffic] are tracked differently to others. For more information, see Connection Tracking in the Amazon EC2 User Guide for Linux Instances.
* Instances associated with a security group can't talk to each other unless you add rules allowing it (exception: the default security group has these rules by default).
* [{$pagename}]s are associated with network interfaces. After you launch an instance, you can change the security groups associated with the instance, which changes the security groups associated with the primary network interface (eth0). You can also change the security groups associated with any other network interface. For more information about network interfaces, see Elastic Network Interfaces.
* When you create a [{$pagename}], you must provide it with a name and a description. The following rules apply:
** Names and descriptions can be up to 255 characters in length.
** Names and descriptions are limited to the following characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&amp;;{}!$*.
** A [{$pagename}] name cannot start with sg-.
** A [{$pagename}] name must be unique within the [VPC].


[{$pagename}] can not be assigned an [AWS] [role].

!! Category
%%category [Amazon Web Services]%%

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Limitations on IAM Entities and Objects|https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html|target='_blank'] - based on information obtained 2019-08-05 





























































</pre>