Security Groups and Basic EC2 Access
Learn how to secure your virtual servers using security groups, and understand the core principles of inbound/outbound rules.
This lesson is purely conceptual — no AWS usage required.
AWS Services Used
Learning outcomes
By the end of this lesson, you will be able to:
- Explain what an EC2 security group does.
- Distinguish between inbound and outbound rules.
- Explain why security groups are called stateful.
- Choose a safer source for SSH or RDP access.
- Recognize common connection options such as SSH, RDP, and EC2 Instance Connect.
How security groups work
A security group answers one simple question: What traffic is allowed to reach or leave this instance? AWS describes security groups as virtual firewalls. They work by letting you define allowed traffic rules.
Note
Allow-Only Logic: AWS security groups only support allow rules. You cannot create a "deny" rule. If traffic isn't explicitly allowed, it is blocked by default.
1) Inbound vs Outbound
Security groups are divided into two types of rules:
Inbound rules
These control traffic coming into your instance.
- A brand-new security group starts with no inbound rules.
- This means all incoming traffic is blocked until you explicitly allow it.
Outbound rules
These control traffic leaving your instance.
- A brand-new security group starts with one outbound rule that allows all traffic by default.
- This allows your server to download updates or talk to other AWS services without extra configuration.
2) Why "Stateful" matters
Security groups are stateful. This is a critical concept to understand because it makes networking much simpler.
Stateful means: if you allow inbound traffic to reach your instance, the response traffic is automatically allowed back out, regardless of your outbound rules.
Tip
Think of it like an invitation. If you invite a guest into your house (Inbound Rule), they are automatically allowed to leave (Response), even if you have a "no one can leave" rule on your front door.
3) Common Rules
When setting up your first EC2 instance, you will likely encounter these four protocols:
| Use case | Protocol / Port | Best Practice |
|---|---|---|
| Linux SSH | SSH (22) | Restrict to My IP |
| Windows Remote Desktop | RDP (3389) | Restrict to My IP |
| Web Traffic | HTTP (80) | Allowed from Anywhere (0.0.0.0/0) |
| Secure Web Traffic | HTTPS (443) | Allowed from Anywhere (0.0.0.0/0) |
4) "My IP" is safer than "Anywhere"
When configuring rules, the AWS console gives you several source options:
- Anywhere-IPv4 (
0.0.0.0/0): Allows every computer in the world to attempt a connection. - My IP: AWS detects your current public IP address and restricts access to just you.
Warning
Never leave SSH (22) or RDP (3389) open to "Anywhere" in a production environment. This is a major security risk. Hackers constantly scan the internet for these open ports.
5) Connecting to your Instance
Once your security group is configured, how do you actually get in?
For Linux Instances:
- SSH (Secure Shell): The traditional way using a terminal and your
.pemkey file. - EC2 Instance Connect: A browser-based SSH tool provided by AWS. No extra software needed!
For Windows Instances:
- RDP (Remote Desktop Protocol): Use the "Remote Desktop Connection" app on your computer. You'll need to retrieve the Administrator password using your private key.
Micro-activity 1: Choose the Safer Source
Source Selection
Which source is the most appropriate for each scenario?
Examples
Choose one, then match it on the right
Characteristics
Select an example first
0 of 4 matched so far.
Micro-activity 2: Security Group Logic
True or False?
Match the concept to its correct behavior.
Examples
Choose one, then match it on the right
Characteristics
Select an example first
0 of 4 matched so far.
Summary
Security groups are your primary line of defense. They act as stateful, allow-only virtual firewalls. Remember to keep administrative ports (22, 3389) restricted to My IP and only open web ports (80, 443) to the public.
Knowledge Check
Next lesson
Lesson 4.4: EBS vs Instance Store