AWS EC2 Security: 10 Lesser-Known Security Group Facts for Cloud Experts

Amazon EC2 Security Groups are an essential aspect of securing your cloud infrastructure. While many experienced professionals may be familiar with the basic functionality, here are some lesser-known but important facts about Security Groups:

  1. Rule limit per security group: Each security group can have a maximum of 60 inbound and 60 outbound rules. However, the number of rules you can add to a security group may be further constrained by the maximum rules per security group per network interface (250).
  2. Implicit deny: By default, security groups have an implicit deny rule for all inbound traffic. If a rule is not explicitly defined to allow traffic, it will be automatically denied.
  3. Stateful filtering: Security groups are stateful, meaning that any traffic allowed in by a specific rule is automatically allowed out, and vice versa, without the need for an explicit outbound rule.
  4. Multiple security groups per instance: You can associate multiple security groups with a single EC2 instance. The effective set of rules is determined by aggregating all the rules from the associated security groups.
  5. Default security group: Every Amazon Virtual Private Cloud (VPC) has a default security group that is automatically created. This is crucial for SSH access, as explained in our guide on how to SSH into an AWS EC2 instance. Any new EC2 instance launched in the VPC will be automatically associated with this default security group if no other security group is specified.
  6. Security group rule evaluation order: Rules are evaluated in ascending order by their rule number. However, the final decision is based on the most permissive rule, regardless of its order.
  7. Copying security groups: You can’t directly copy security groups across regions or accounts. However, you can use AWS CLI or SDKs to describe the security group and then recreate it in the desired region or account.
  8. Security group IDs vs. Names: Security groups are identified by both a unique security group ID and a user-defined name. While security group names are unique within a VPC, the security group ID is unique within an entire region.
  9. Prefix lists in security group rules: You can use prefix lists in your security group rules to allow or deny traffic from Amazon VPC endpoints or Amazon VPC endpoint services.
  10. IPv6 support: Security groups support both IPv4 and IPv6 traffic. You can create separate rules for each protocol or use the “All traffic” rule to allow both types of traffic.

Related Reading: