Overview
A security group acts as a virtual firewall for your instances to control inbound and outbound traffic. When you launch an instance, you can specify one or more security groups; otherwise, the default security group for the VPC is used.
Key Characteristics
- Stateful: If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
- Instance-level: Rules are applied to individual instances, not the entire subnet.
- Allow Rules Only: You can specify allow rules, but not deny rules. All traffic is denied by default unless explicitly allowed.
Best Practices
- Follow the principle of least privilege.
- Use security group IDs as sources/destinations instead of IP ranges where possible.
- Regularly audit rules to remove unnecessary access.