A security group can be thought of as a virtual firewall that allows you to manage all inbound and outgoing traffic to a certain entity. I use the term “entity” because security encompasses not just regular EC2 servers, but also load balancers, RDS databases, and Docker-based services hosted in ECS (Elastic Container Service). There are much more, but this should give you a good sense.
When you update the configuration, security groups are associated with network interfaces, and changes are reflected quickly. This is useful for immediately blocking possibly malicious ingress traffic. Keep in mind that security groups do not allow you to limit traffic based on specific IP addresses; this is a job better suited to NACLs (to be discussed in another article).
A security group can contain a range of different entities, and inside it, you can construct Rules that determine the inbound and outbound traffic that can flow to any entity or instance in the security group.
Here’s an example of a custom security group I set up with a rule that enables inbound traffic on port 80(HTTP).
It’s worth noting that when you create an inbound rule, you’re also allowing outgoing traffic by default, and vice versa. This means that once a request is made, security groups create bi-directional communication channels. You’d utilize NACLs (Network Access Control Lists) to further restrict bi-directional communication.
It’s critical to understand that Security Groups operate on a pessimistic basis. That is to say, they DENY all traffic by default unless a Rule explicitly allows it. This is why utilizing a security group is so appealing to developers: it compels them to clearly declare who is permitted to communicate with what ports/protocols/sources, rather than the other way around.
Why it’s Important?
The thing with security groups is that by tinkering with ‘Source’ ips and port/protocols, you can easily lock down your instances in a predictable manner. While Route Tables set the basic principles of traffic flow within your VPC, Security Groups further secure your entities by allowing you to specify precise protocols to and from your resources.
AWS uses Security Groups as part of its Security Layering strategy. There are several layers of security that, when combined, allow people to add a layer of redundancy that acts to repel intruders.
If you want to understand more about security groups, I recommend checking out this link from the AWS Developer Guide on Security Groups.