What is a Security Group in AWS?

Description of the image

AWS security groups refer to the virtual firewall that manages traffic in EC2 instances. Using effective filters, a security group manages both inbound and outbound traffic in an EC2 instance. 

AWS is the go-to platform for businesses that require different cloud solutions for optimizing their workflow, be it for storage, databases, or virtual private cloud servers. One of the main features of AWS is its enhanced security - this is especially true as AWS offers specialized solutions that can filter traffic as per project needs.


Since AWS focuses immensely on the security of its cloud solutions and services, the platform offers security groups (SGs) for its EC2 instances. EC2 instances are virtual servers offering infrastructure that lets businesses run applications on the AWS ecosystem. Security groups are virtual firewalls for the EC2 instances you create in your AWS account. SGs evaluate both inbound and outbound traffic.

Security groups have a crucial role in the AWS ecosystem of solutions. When you create a security group, you can configure it with the kind of filters that you want for the particular instance. The filtering parameters based on which SGs manage traffic include IP protocol, port number, IP address, and CIDR block.

By default, AWS offers a security group for every EC2 instance you create. However, it is better to customize and configure security groups as per the needs of every EC2 instance. This ensures effective filtering of traffic.

Security Group vs NACL

AWS has another security feature known as the Network Access Control Lists (NACLs). NACLs operate at the level of subnets - these lists operate traffic in and out of virtual private clouds. While NACLs and security groups sound similar, there are many distinctions differentiating them.

  • Association - Security groups work with EC2 instances. NACLs are more focused on subnets.
  • Statefulness - In an AWS ecosystem, statefulness refers to the ability of a security group to automatically track and allow return traffic for certain connections. Security groups are stateful, meaning that if the IP is permitted, then it is authorized. On the other hand, NACLs are stateless.
  • Rule Accommodations - Security groups in AWS comply only with the “Allow” rule. NACLs comply with both “Allow” and “Deny” rules.

These are some of the crucial differences between these two features. Understanding the features helps you to build better infrastructures in AWS that fit your security needs.

How do Security Groups Work?

For every EC2 instance you create, there will be a default security group created by AWS. To get the best out of SGs, you have to configure the rules so that you can filter traffic as per business needs. Each rule that is created in AWS contains four components - type, protocol, port range, and source.

The type refers to the type of protocol that is included in the filter. AWS offers you a dropdown of common protocols, including HTTPS and SSH. As for the protocols, it is by default, set to be TCP. You can change it to UDP, ICMP, and others also in different associations, such as  IPv4 or IPv6.

Port range is also picked by default, but as per your security and EC2 instance needs and protocol, you can alter the range for better results. As for the source, which is the IP, you can either set a custom IP or a subnet range. While it might seem tempting to give anywhere IP access, this can turn out to be a severe security concern.

How to Create a Security Group in AWS?

While AWS creates a default security group with the creation of every EC2 instance, it is better to create your custom SGs to enhance security. Here are the detailed steps on how to create security groups with filters.

Step 1: Once you log on to your AWS console, go to the EC2 dashboard. Now select the ‘Security Groups’ option from the panel.

 log on to your AWS console, go to the EC2 dashboard

click on instance link

Step 2: Select the ‘Create Security Group’ option from the menu. Now, enter the name of the group and provide its description.

click on security group link

click on security group button

This is a crucial step in the process, as the description also involves some filters of the group. Select your VPC (virtual private cloud) where the security group is created, and specify the inbound and outbound rules.

Step 3: Once you have given your choice for the VPC, you can define inbound rules by clicking on ‘New Rule’. These rules can be based on port, support, IP, etc. 

fill details

Step 4: Similarly, you can create new outbound rules as well. This manages the traffic that leaves your AWS resources.
Step 5: Double-check the rules you have defined. Once everything is set, click ‘Create Security Group’ to get started. 

double check all details and click on Create Security Group Button

The Rules Found in AWS Security Groups

Rule TypeSpecifies if the rule is inbound or outbound.
ProtocolThe protocol to which the rule applies (e.g., TCP, UDP, ICMP).
Port RangeThe port or port range to which the rule applies (e.g., 80, 443, 1024-65535).
Source/DestinationThe source (for inbound rules) or destination (for outbound rules) IP address range (e.g.,
DescriptionA description of the rule.
Security Group IDThe ID of the security group to which the rule is associated.
CIDR BlockThe CIDR block from which traffic is allowed (for inbound) or to which traffic is allowed (for outbound).
IPv6 CIDR BlockThe IPv6 CIDR block from which traffic is allowed (for inbound) or to which traffic is allowed (for outbound).
Security Group NameThe name of the security group.


Rule TypeProtocolPort RangeSource/DestinationDescriptionSecurity Group IDCIDR BlockIPv6 CIDR BlockSecurity Group Name
InboundTCP220.0.0.0/0Allow SSH accesssg-0123456789abcdef00.0.0.0/0::/0my-security-group
InboundTCP800.0.0.0/0Allow HTTP trafficsg-0123456789abcdef00.0.0.0/0::/0my-security-group
InboundTCP4430.0.0.0/0Allow HTTPS trafficsg-0123456789abcdef00.0.0.0/0::/0my-security-group
OutboundAllAll0.0.0.0/0Allow all outboundsg-0123456789abcdef00.0.0.0/0::/0my-security-group

Useful Commands of Security Groups

aws ec2 create-security-group
Creates a new security group.
aws ec2 delete-security-group
Deletes an existing security group.
aws ec2 describe-security-groups
Describes one or more security groups.
aws ec2 authorize-security-group-ingress
Adds a rule to a security group allowing inbound traffic from a specified source.
aws ec2 revoke-security-group-ingress
Removes a rule from a security group that allows inbound traffic from a specified source.
aws ec2 authorize-security-group-egress
Adds a rule to a security group allowing outbound traffic to a specified destination.
aws ec2 revoke-security-group-egress
Removes a rule from a security group that allows outbound traffic to a specified destination.
aws ec2 update-security-group-rule-descriptions
Updates the description of a security group rule.
aws ec2 update-security-group-rule
Updates the properties of a security group rule, such as the protocol, port range, or source/destination.
aws ec2 describe-security-group-references
Describes the resources that are associated with a specified security group, such as instances, network interfaces, and VPC peering connections.
aws ec2 describe-security-group-rules
Describes the inbound and outbound rules for a specified security group.

Best Practices for Security Groups

If you are confused about how to start with defining rules for your security group, here are some best practices for creating and defining SGs in AWS.

  • Always go for the “deny-all” rule: The deny-all rule essentially blocks all traffic except for the exceptions you have defined in the rules of your SG. This helps block unwanted traffic.
  • Limit access using particular IP ranges: You can limit the traffic to your resources by defining specific IP addresses and port ranges.
  • Categorize role-based SGs: When you create multiple SGs, it might be tough to keep track of them. To avoid this, you can team them up based on their roles.
  • Conduct regular auditsWith various changes in an AWS infrastructure, there will be a need to alter the nature of instances as well as security groups. Use automation tools to keep track of the changes and streamline the process of your SGs. 


In the AWS ecosystem, a security group refers to a virtual firewall that controls and manages the inbound and outgoing server traffic. Security groups are created along with EC2 instances, but you can define the role of an SG by altering its components. By using the filters as per the needs of the server, you can create a security group that filters the traffic efficiently.

Read More

Follow us on

Table of Contents

    Subscribe to Us

    Always Get Notified