Understanding AWS Security Groups

Author

Govardhana M K
March 10, 2025

In partnership with

TechOps Examples

Hey โ€” It's Govardhana MK ๐Ÿ‘‹

Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.

๐Ÿ‘‹ Before we begin... a big thank you to today's sponsor SUPERHUMAN AI

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter โ€“ read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

IN TODAY'S EDITION

๐Ÿง  Use Case

  • Understanding AWS Security Groups

๐Ÿš€ Top News

๐Ÿ‘€ Remote Jobs

๐Ÿ“š๏ธ Resources

๐Ÿ“ข Reddit Threads

๐Ÿ› ๏ธ TOOL OF THE DAY

Kluctl - Unifies complex Kubernetes deployments into a single declarative framework.

  • Integrates with Helm and Kustomize.โ€‹

  • Supports diffs and dry runs.โ€‹

  • Facilitates GitOps workflows.โ€‹

๐Ÿง  USE CASE

Understanding AWS Security Groups

AWS Security Groups (SGs) are stateful firewalls controlling inbound and outbound traffic at the instance level. Security Groups attach directly to EC2 instances, RDS, ALB, Lambda (in VPC), etc.

By default:

  • All inbound traffic is blocked. You must explicitly allow it.

  • All outbound traffic is allowed. Unless you restrict it.

Since SGs are stateful, if an inbound request is allowed, the response is automatically allowed (you donโ€™t need an outbound rule for responses)

Every rule in a Security Group has the following technical parameters:

Field

Description

Protocol

Eg Value: TCP, UDP, ICMP, All

Defines the network protocol

Port Range

Eg Value: 22 (SSH), 80 (HTTP), 443 (HTTPS)

Specific port(s) to allow

Source/Destination

Eg Value: 192.168.1.10/32, sg-12345678

The IP, CIDR, or another SG allowed to communicate

Description

Eg Value: Allow SSH from Office

(Optional) Useful for tracking

Security Groups can reference other Security Groups instead of IPs. This is critical when working with multiple tiers (Load Balancer โ†’ App Server โ†’ Database)

Use Case: ALB to Web Server

  • Instead of exposing your Web Server to 0.0.0.0/0, allow only traffic from the ALBโ€™s SG.

  • This way, only traffic from the ALB is allowed.

Why? If the ALBโ€™s IP changes, the rule still works because it references an SG dynamically.

Debugging Security Group Issues

1. Check Security Group Rules
aws ec2 describe-security-groups --group-ids sg-12345678

Look for missing rules if traffic isnโ€™t working.

2. Check if the Instance is Associated with the Right SG
aws ec2 describe-instances --query 'Reservations[].Instances[].SecurityGroups'

An instance can have multiple Security Groups, ensure the right one is attached.

3. Use VPC Flow Logs to Detect Blocked Traffic

  • If traffic never reaches your instance โ†’ Wrong Security Group rule.

  • If the request reaches but gets no response โ†’ Application issue.

Things to Remember:

โœ… Use Security Groups, not static IPs in rules.
โœ… Avoid โ€œallow allโ€ rules (0.0.0.0/0) unless necessary.
โœ… Donโ€™t allow 0.0.0.0/0 inbound for SSH or databases.
โœ… Use IAM roles for permissions, not security groups alone.
โœ… Regularly audit SGs to remove unused or overly permissive rules.
โœ… Only allow necessary ports (e.g., SSH from a trusted IP, HTTP from the internet).

My 2 cents:

Security Groups are not just allow/deny rules. Theyโ€™re dynamic, stateful, and critical for AWS security.

So keep them tight, specific, and regularly reviewed.

I run a DevOps and Cloud consulting agency and have helped 17+ businesses, including Stanford, Hearst Corporation, CloudTruth, and more.

When your business needs my services, book a free 1:1 business consultation.

Looking to promote your company, product, service, or event to 40,000+ Cloud Native Professionals? Let's work together.