{
	"id": "8acc9a72-17b8-49a0-a7a4-02e7fb133059",
	"created_at": "2026-04-06T00:07:55.877784Z",
	"updated_at": "2026-04-10T03:20:56.176475Z",
	"deleted_at": null,
	"sha1_hash": "9dd9ac89467b4c569c9d2577c246d21611506824",
	"title": "Control traffic to your AWS resources using security groups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61031,
	"plain_text": "Control traffic to your AWS resources using security groups\r\nArchived: 2026-04-05 16:45:36 UTC\r\nA security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For\r\nexample, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic\r\nfor the instance.\r\nWhen you create a VPC, it comes with a default security group. You can create additional security groups for a\r\nVPC, each with their own inbound and outbound rules. You can specify the source, port range, and protocol for\r\neach inbound rule. You can specify the destination, port range, and protocol for each outbound rule.\r\nThe following diagram shows a VPC with a subnet, an internet gateway, and a security group. The subnet contains\r\nan EC2 instance. The security group is assigned to the instance. The security group acts as a virtual firewall. The\r\nonly traffic that reaches the instance is the traffic allowed by the security group rules. For example, if the security\r\ngroup contains a rule that allows ICMP traffic to the instance from your network, then you could ping the instance\r\nfrom your computer. If the security group does not contain a rule that allows SSH traffic, then you could not\r\nconnect to your instance using SSH.\r\nContents\r\nSecurity group basics\r\nSecurity group example\r\nSecurity group rules\r\nDefault security groups\r\nCreate a security group\r\nConfigure security group rules\r\nDelete a security group\r\nAssociate security groups with multiple VPCs\r\nShare security groups with AWS Organizations\r\nPricing\r\nThere is no additional charge for using security groups.\r\nSecurity group basics\r\nhttps://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\r\nPage 1 of 3\n\nYou can assign a security group to resources created in the same VPC as the security group or to resources\r\nin other VPCs if using the Security Group VPC Association feature to associate the security group to other\r\nVPCs in the same Region. You can also assign multiple security groups to a single resource.\r\nWhen you create a security group, you must provide it with a name and a description. The following rules\r\napply:\r\nA security group name must be unique within the VPC.\r\nSecurity group names are not case-sensitive.\r\nNames and descriptions can be up to 255 characters in length.\r\nNames and descriptions are limited to the following characters: a-z, A-Z, 0-9, spaces, and\r\n._-:/()#,@[]+=\u0026;{}!$*.\r\nWhen the name contains trailing spaces, we trim the space at the end of the name. For example, if\r\nyou enter \"Test Security Group \" for the name, we store it as \"Test Security Group\".\r\nA security group name can't start with sg- .\r\nSecurity groups are stateful. For example, if you send a request from an instance, the response traffic for\r\nthat request is allowed to reach the instance regardless of the inbound security group rules. Responses to\r\nallowed inbound traffic are allowed to leave the instance, regardless of the outbound rules.\r\nSecurity groups do not filter traffic destined to and from the following:\r\nAmazon Domain Name Services (DNS)\r\nAmazon Dynamic Host Configuration Protocol (DHCP)\r\nAmazon EC2 instance metadata\r\nAmazon ECS task metadata endpoints\r\nLicense activation for Windows instances\r\nAmazon Time Sync Service\r\nReserved IP addresses used by the default VPC router\r\nThere are quotas on the number of security groups that you can create per VPC, the number of rules that\r\nyou can add to each security group, and the number of security groups that you can associate with a\r\nnetwork interface. For more information, see Amazon VPC quotas.\r\nBest practices\r\nAuthorize only specific IAM principals to create and modify security groups.\r\nhttps://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\r\nPage 2 of 3\n\nCreate the minimum number of security groups that you need, to decrease the risk of error. Use each\r\nsecurity group to manage access to resources that have similar functions and security requirements.\r\nWhen you add inbound rules for ports 22 (SSH) or 3389 (RDP) so that you can access your EC2 instances,\r\nauthorize only specific IP address ranges. If you specify 0.0.0.0/0 (IPv4) and ::/ (IPv6), this enables anyone\r\nto access your instances from any IP address using the specified protocol.\r\nDo not open large port ranges. Ensure that access through each port is restricted to the sources or\r\ndestinations that require it.\r\nConsider creating network ACLs with rules similar to your security groups, to add an additional layer of\r\nsecurity to your VPC. For more information about the differences between security groups and network\r\nACLs, see Compare security groups and network ACLs.\r\nSecurity group example\r\nThe following diagram shows a VPC with two security groups and two subnets. The instances in subnet A have\r\nthe same connectivity requirements, so they are associated with security group 1. The instances in subnet B have\r\nthe same connectivity requirements, so they are associated with security group 2. The security group rules allow\r\ntraffic as follows:\r\nThe first inbound rule in security group 1 allows SSH traffic to the instances in subnet A from the specified\r\naddress range (for example, a range in your own network).\r\nThe second inbound rule in security group 1 allows the instances in subnet A to communicate with each\r\nother using any protocol and port.\r\nThe first inbound rule in security group 2 allows the instances in subnet B to communicate with each other\r\nusing any protocol and port.\r\nThe second inbound rule in security group 2 allows the instances in subnet A to communicate with the\r\ninstances in subnet B using SSH.\r\nBoth security groups use the default outbound rule, which allows all traffic.\r\nSource: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\r\nhttps://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
	],
	"report_names": [
		"VPC_SecurityGroups.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9dd9ac89467b4c569c9d2577c246d21611506824.pdf",
		"text": "https://archive.orkl.eu/9dd9ac89467b4c569c9d2577c246d21611506824.txt",
		"img": "https://archive.orkl.eu/9dd9ac89467b4c569c9d2577c246d21611506824.jpg"
	}
}