What Is Security group in Networking?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
A security group is like a set of rules that decides what internet traffic is allowed to reach your cloud servers and what traffic is allowed to leave them. You can think of it as a bouncer at a club who checks IDs and only lets in people who meet certain criteria. It helps keep your applications safe by blocking unwanted access while allowing legitimate communication.
Common Commands & Configuration
aws ec2 describe-security-groups --group-ids sg-12345678Retrieves details of a specific security group by its ID, including all inbound and outbound rules, tags, and the VPC ID. This is the first command to run when verifying security group configuration.
Exam questions test whether you can identify the correct command to audit security groups. Using --group-ids is more efficient than filtering by name, and the output includes rule descriptions that help with compliance.
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 203.0.113.0/24Adds an inbound rule to allow SSH traffic on port 22 from a specific CIDR block. The --cidr parameter specifies the source IP range.
The exam tests your ability to construct the correct authorize-ingress command. Remember that you must specify protocol, port, and source. Omitting any of these will cause the command to fail. Also note that you can use --source-group to reference another security group instead of a CIDR.
aws ec2 revoke-security-group-ingress --group-id sg-12345678 --protocol tcp --port 443 --cidr 0.0.0.0/0Removes an inbound rule that allows HTTPS traffic from all sources. You must specify the exact rule parameters to revoke it.
Exam questions often ask how to remove a rule. You cannot remove a rule by its rule number; you must match the protocol, port, and source (or destination). The CLI will return an error if the rule does not exist, which is a common oversight.
aws ec2 authorize-security-group-egress --group-id sg-12345678 --protocol udp --port 53 --cidr 0.0.0.0/0Adds an outbound rule to allow DNS resolution traffic (UDP port 53) to any destination. This is commonly needed when you restrict the default outbound allow rule.
The exam tests whether you understand that outbound rules must be explicitly added when you modify the default outbound rule. DNS (UDP 53) and HTTPS (TCP 443) are the most common outbound rules needed for normal instance operation.
aws ec2 create-security-group --group-name WebServerSG --description "Security group for web servers" --vpc-id vpc-12345678Creates a new security group in a specific VPC. The group name must be unique within the VPC. After creation, you must add rules separately.
Exam questions test that security groups are VPC-specific. You cannot create a security group without specifying a VPC. Also note that you cannot change the VPC of a security group after creation.
aws ec2 modify-instance-attribute --instance-id i-12345678 --groups sg-11111111 sg-22222222Changes the security groups attached to a running instance. You can specify up to five security groups. This is a live change and does not require a reboot.
The exam tests that you can modify security groups on running instances. However, this only affects the primary Elastic Network Interface. If the instance has multiple network interfaces, you must modify each interface individually using modify-network-interface-attribute.
aws ec2 describe-network-interface-attribute --network-interface-id eni-12345678 --attribute groupSetLists all security groups attached to a specific Elastic Network Interface. This is useful for debugging when an instance has multiple ENIs.
Exam scenarios often involve instances with multiple network interfaces, such as management ENIs. You need to remember that security groups are attached to ENIs, not directly to instances.
Security group appears directly in 667exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CLF-C02. Practise them →
Must Know for Exams
Security groups are a critical topic across many IT certification exams, appearing in cloud-specific exams like AWS Cloud Practitioner, AWS Solutions Architect, AWS SysOps Administrator, as well as in general security exams like CompTIA Security+, CySA+, ISC2 CISSP, and even Microsoft exams like AZ-104 and SC-900. In the AWS Cloud Practitioner (CLF-C02) exam, security groups are part of the core concepts of AWS security and compliance. You are expected to know that security groups act as virtual firewalls, are stateful, support allow rules only, and are associated with EC2 instances.
The exam may ask questions about the differences between security groups and network ACLs, or about default security group behavior. For the AWS Solutions Architect (SAA-C03) exam, security groups are a major topic. You need to understand how to design multi-tier architectures using security groups, how to reference other security groups in rules (e.
g., allowing traffic from a specific security group), and how to use security groups with load balancers and auto scaling groups. The exam may present scenario-based questions where you must choose the correct security group configuration to meet requirements like high availability, security, and cost efficiency.
For example, you might be asked to design a secure VPC for a web application where only the web servers can be accessed from the internet, and the database servers can only be accessed from the application servers. In the AWS SysOps Administrator (SOA-C02) exam, you need to know how to troubleshoot security group issues, such as why an instance is unreachable (often due to missing inbound rules) or why applications aren't working (often due to missing outbound rules). You might encounter questions about modifying security group rules on the fly and understanding how changes take effect immediately.
In CompTIA Security+ (SY0-601), security groups are covered under cloud security controls. You are expected to understand the concept of a stateful firewall and how it differs from a stateless firewall. Questions might ask you to identify the correct configuration to restrict access to a cloud resource, or to explain the difference between a security group and a network ACL.
The CySA+ (CS0-002) exam goes deeper into security operations, where you might have to analyze logs or configurations to identify misconfigured security groups that allowed a breach. You might also see questions about automation and Infrastructure as Code (IaC) where security groups are defined in templates. The ISC2 CISSP exam covers security groups in the domain of Communication and Network Security (Domain 4).
You need to understand the concept of stateful inspection and how security groups implement it. Questions may be about selecting the appropriate firewall type for a specific scenario, or about the differences between cloud-based virtual firewalls and traditional hardware firewalls. For Microsoft exams, Azure Network Security Groups (NSGs) are analogous.
The AZ-104 exam (Azure Administrator) tests your ability to create and manage NSGs, to understand the difference between NSGs (which can be stateful or stateless) and Azure Firewall, and to apply NSG rules to subnets or NICs. The SC-900 exam (Microsoft Security, Compliance, and Identity Fundamentals) covers NSGs as a basic security control. The MD-102 (Microsoft 365 Endpoint Administrator) and MS-102 (Microsoft 365 Administrator) may touch on cloud security controls, often in the context of Microsoft 365 Defender and cloud app security.
In these exams, you might see questions about how security groups help protect virtual machines in Azure, but the depth is lighter compared to the Azure administrator exam. In all these exams, common question patterns include: identifying the correct security group rule to allow SSH access from a specific IP, determining why a user cannot connect to a database, or comparing security groups to other firewall types. You need to remember that security groups are stateful, support only allow rules, and that changes are applied immediately.
Being able to quickly recall these key characteristics is essential for exam success. Because security groups appear across so many exams, mastering them gives you a strong foundation for understanding network security in the cloud.
Simple Meaning
Imagine you have a house with a front door and a back door. A security group is like a set of instructions for who can come in and who can go out through those doors. For example, you might say that only your friends (specific IP addresses) can enter through the front door, and only on certain days (specific ports).
You can also decide that anyone inside the house can leave through the back door anytime they want. In the cloud, security groups work the same way for virtual servers called EC2 instances. They are virtual firewalls that sit in front of your instances and filter traffic based on rules you create.
These rules are very flexible: you can allow traffic from a specific computer, from a whole office network, or even from anywhere on the internet, but only for certain types of communication (like web traffic on port 80 or secure web traffic on port 443). What makes security groups special is that they are stateful. This means if you allow traffic to come into your instance (inbound), the response traffic going out (outbound) is automatically allowed, even if you don't have a specific rule for it.
For example, if you let a customer request a web page from your server, the server can send the page back without needing an extra outbound rule. This is different from some other types of firewalls, like network access control lists (NACLs), which are stateless and require rules for both directions. Security groups also support allow rules only; you cannot create deny rules.
You simply decide what traffic to allow, and everything else is blocked by default. This makes them easier to manage because you only think about what you want to permit. You can attach the same security group to multiple instances, which is great when you have several servers that need the same protection.
However, if you need more advanced filtering, such as blocking specific IP addresses or creating complex deny lists, you would use a network access control list (NACL) in addition to security groups. In the AWS cloud, security groups are a fundamental part of building secure applications, and they are one of the first things you learn when studying for cloud certifications. Understanding how they work helps you design networks that are both secure and functional.
They are the first line of defense for your compute resources, and getting their rules right is critical to preventing unauthorized access while still allowing your applications to work correctly.
Full Technical Definition
A security group in AWS acts as a virtual, stateful firewall that controls inbound and outbound network traffic to Amazon Elastic Compute Cloud (EC2) instances and other AWS resources. It operates at the instance level, not at the subnet level, meaning that each instance can have its own set of security group rules, and multiple instances can share the same security group. Security groups are composed of a set of rules that specify allowed traffic based on protocol (TCP, UDP, or ICMP), port range (e.
g., 80 for HTTP, 443 for HTTPS), and source or destination IP address or another security group. The stateful nature of security groups means that if you allow an inbound request, the response to that request is automatically allowed outbound, regardless of outbound rules.
This simplifies rule management because you don't need to create symmetric rules for return traffic. However, it also means that you cannot block specific response traffic; if you allow an inbound connection, the entire session is allowed both ways. Security groups support only allow rules; there are no explicit deny rules.
Any traffic that does not match an allow rule is implicitly denied. This is a key difference from network ACLs, which support both allow and deny rules and are stateless. When you create a security group, you specify a name, a description, and a VPC.
Each security group has a unique ID within a region. You can then add inbound and outbound rules. For inbound rules, you specify the source of the traffic, which can be an IPv4 or IPv6 CIDR block, a prefix list, or another security group ID.
Using another security group as a source is a powerful feature because it allows you to easily control traffic between different tiers of an application. For example, you can allow only the web server security group to talk to the database security group on port 3306 (MySQL), without needing to know the actual IP addresses of the web servers. Outbound rules work similarly, but the destination is specified instead of the source.
By default, every security group has an outbound rule that allows all traffic to leave. This is a common default, but you can remove it and add more restrictive rules if needed. Security groups are evaluated in real time: when a packet arrives, AWS checks it against the inbound rules of the security group attached to the destination instance.
If the packet matches an allow rule, it is forwarded to the instance. The instance then sends the response, which is checked against the outbound rules of the same security group. Because of statefulness, if the outbound rule for that particular traffic is not present but it is a response to an allowed inbound request, it is automatically permitted.
This is handled by the security group's connection tracking mechanism. Each security group maintains a table of active sessions, which includes the source IP, destination IP, port, and protocol. When a response packet arrives, the security group checks this table first.
If a matching session exists, the packet is allowed. If no session exists, the packet is evaluated against the outbound rules. This connection tracking has a timeout; after a period of inactivity, the session is removed, and subsequent packets must match an explicit rule.
Security groups can be attached to multiple instances, and instances can be associated with multiple security groups. When an instance is associated with multiple security groups, the set of allowed rules is the union of all the rules from all attached security groups. This allows for flexible grouping, where you can have a base security group with general rules (like allowing SSH from management IPs) and an additional security group with application-specific rules (like allowing HTTP from the internet).
One important limitation is that security groups are specific to a VPC and a region. You cannot use a security group from one VPC in another VPC, nor can you use it across regions. To control traffic at the subnet level, you use network ACLs, which are stateless and can explicitly deny traffic.
In a typical three-tier architecture, security groups are used to control traffic between the web layer, the application layer, and the database layer. For example, you might create a security group for web servers that allows HTTP (port 80) and HTTPS (port 443) from the internet (0.0.
0.0/0). Then you create another security group for application servers that only allows traffic from the web server security group on a specific port (e.g., 8080). Finally, you create a security group for database servers that only allows traffic from the application server security group on port 3306.
This layered approach provides granular control and reduces the attack surface. In practice, security groups are an essential component of cloud security architecture. They work alongside other AWS services like AWS WAF (for web application firewalls), AWS Shield (for DDoS protection), and Network Access Analyzer (for checking network configurations).
Understanding security groups is critical for passing the AWS Certified Solutions Architect, AWS Certified SysOps Administrator, and AWS Certified Cloud Practitioner exams. Security groups are a common topic in CompTIA Security+ and CySA+ exams when discussing cloud security controls. The concept of stateful firewalling and implicit deny is also tested in the ISC2 CISSP exam under the domain of communication and network security.
For Microsoft exams like AZ-104, MD-102, MS-102, and SC-900, the concept of Network Security Groups (NSGs) is analogous, though they can be stateful or stateless depending on configuration, and they support both allow and deny rules. However, the core idea of a virtual firewall at the resource level remains consistent across cloud providers.
Real-Life Example
Think of a busy office building with many floors. Each floor has a reception desk that controls who can come in and who can leave. The security group is like the set of rules that the receptionist follows.
For example, the receptionist has a list of approved employees (like a whitelist of IP addresses) and only allows those people to enter through the front door. The receptionist also knows that if an employee goes out for lunch, they can come back in without needing to be checked again, because their badge (session) is still valid. Now imagine that the office building has three floors: the ground floor is the reception (public web servers), the first floor is the accounting department (application servers), and the second floor is the secure data room (database servers).
The ground floor reception has a rule that allows anyone from the street (0.0.0.0/0) to walk into the lobby, but only for general inquiries (HTTP port 80). However, to get to the accounting department on the first floor, you need a special pass (security group ID) issued by the reception.
The receptionist checks your pass and only allows you to go to the first floor if you are from the authorized list (web server security group). Similarly, the accounting department has its own set of rules that only allows pre-approved messengers (application server security group) to take files to the second floor data room. If someone from the street tries to go directly to the second floor, the receptionist stops them because there is no rule allowing that.
The security group rules are like these access permissions: they specify who (source) can access what (destination) and through which door (port). Now consider what happens when a visitor comes to the lobby. They ask a question, and the receptionist gives them an answer.
The receptionist does not need a separate rule to allow the visitor to leave because they are just responding to the inquiry; this is the stateful nature of security groups. The allowed inbound conversation automatically allows the outbound response. If the visitor tries to sneak into the accounting department after getting their answer, the receptionist stops them because that specific path is not allowed.
In this analogy, the building manager (cloud administrator) creates these rules in advance. They can also group employees into teams (multiple instances with the same security group) and give each team the same access permissions. For example, all web developers (web servers) have the same badge (security group) that allows them to access the development tools on the third floor (port 443).
The manager can easily update the badge rules for the whole team at once. In real life, the receptionist might also have a list of known troublemakers to block (deny list), but in the security group world, you only have an allow list. If someone is not on the list, they are automatically blocked.
This makes management simpler but means you cannot create an explicit deny rule; you must instead ensure that only the right sources are allowed. The office building also has fire escape doors (default outbound traffic) that can be used by anyone inside, unless the manager decides to lock them with special rules. This analogy maps perfectly to how security groups work in the cloud: they are simple, stateful, and easy to manage, but they require careful planning to ensure that only the intended traffic flows between your servers.
Why This Term Matters
Security groups are one of the most fundamental and frequently used security controls in cloud environments, especially on AWS. They provide the first layer of defense for your EC2 instances, load balancers, RDS databases, and other resources that are attached to a VPC. Without them, your instances would be completely exposed to the internet, making them vulnerable to attacks, data breaches, and unauthorized access.
In a practical IT context, every cloud engineer or architect must know how to design security group rules that are both secure and functional. A common scenario is a web application that uses a web server, an application server, and a database. The web server needs to be openly accessible on ports 80 and 443 from the internet, but the application server should only be accessible from the web server, and the database should only be accessible from the application server.
Proper use of security groups makes this configuration straightforward and secure. If you misconfigure a security group, you could either block legitimate traffic, causing application downtime, or allow too much traffic, creating a security risk. For example, leaving port 22 (SSH) open to the entire internet (0.
0.0.0/0) is a common mistake that can lead to unauthorized login attempts and potential server compromise. Security groups also matter because they are cost-effective. They operate at no additional charge and are integrated into the AWS ecosystem.
They can be used with automation tools like AWS CloudFormation, Terraform, and AWS CLI to enforce consistent security policies across environments. For organizations that need to meet compliance standards (such as PCI DSS, HIPAA, or SOC 2), security groups provide an auditable way to demonstrate that network access is controlled. Auditors often ask for evidence that only necessary ports are open and that sources are restricted to only those that require access.
Therefore, understanding and properly implementing security groups is not just an exam topic; it is a real-world skill that directly impacts the security posture of cloud infrastructure. Missteps can lead to data breaches, financial loss, and reputational damage, making it essential for IT professionals to master this concept.
How It Appears in Exam Questions
Security group questions appear in various forms across certification exams. The most common type is the scenario-based question where you are given a description of an application and asked to choose the correct security group configuration. For example, a question might describe a web application that has EC2 instances in a public subnet and RDS database in a private subnet.
You will be asked to select the security group rules that allow the web servers to talk to the database. The correct answer will specify that the database security group should have an inbound rule that allows traffic on port 3306 (MySQL) from the security group attached to the web servers, rather than from a specific IP address. Another common pattern involves troubleshooting.
You might be presented with a scenario where a user cannot connect to an EC2 instance using SSH. The question will ask you to identify the likely cause. The answer might be that the security group does not have an inbound rule allowing TCP port 22 from the user's IP address, or that the rule exists but the source is incorrectly specified (e.
g., using a CIDR block that doesn't include the user's IP). Questions often compare security groups with network ACLs. For instance, you might be asked which of the following is true about security groups: they are stateful, support deny rules, or are applied at the subnet level.
The correct answer is that they are stateful. You might also see a question about default security groups. For example, a new security group has no inbound rules by default, which means all inbound traffic is denied.
But outbound traffic is allowed by default. Knowing these defaults is important for exams. Another pattern is about multiple security groups. When an instance has multiple security groups attached, the effective rules are the union of all rules.
A question might ask what happens when you attach two security groups with different rules to an instance. The answer is that the instance will allow traffic that matches any rule from any of the attached groups. There may be questions about stateful behavior: if you allow inbound traffic on port 80, will the response traffic automatically be allowed?
The answer is yes, because security groups are stateful. This is a key differentiator from NACLs. Some exams, especially the AWS Solutions Architect, may ask about cross-account security group referencing.
You can reference a security group from another account if you specify the account ID. This is less common but can appear in advanced scenarios. In the CompTIA Security+ exam, you might see questions that ask you to identify the security group rule that would prevent a specific type of attack.
For example, you might be asked which rule would block SQL injection attacks, and the answer would be that security groups cannot block application-layer attacks; they only control network access. You would need a web application firewall (WAF) for that. In Azure exams, the pattern is similar, but the terminology is different: Network Security Groups (NSGs) and Application Security Groups (ASGs).
You might be asked to configure an NSG rule to allow RDP access from a specific IP range, or to understand that NSGs can be associated with a subnet or a NIC. Overall, exam questions on security groups test your understanding of basic concepts, default behavior, stateful vs. stateless, troubleshooting, and best practices for segmentation.
Practise Security group Questions
Test your understanding with exam-style practice questions.
Example Scenario
Imagine you are setting up a small online store on AWS. You have two EC2 instances: one is the web server that shows product pages to customers, and the other is the database server that stores product information and customer orders. Your goal is to make sure customers can visit your website (web server) from anywhere, but only the web server should be able to talk to the database server.
Nobody should be able to access the database server directly from the internet. To achieve this, you create a security group for the web server, let's call it 'WebSG'. You add an inbound rule to WebSG that allows HTTP (port 80) and HTTPS (port 443) from any IP address (0.
0.0.0/0). You also add an inbound rule that allows SSH (port 22) only from your office IP (a specific /32 address), so you can manage the server. Outbound traffic is left with the default rule that allows all traffic.
Next, you create a security group for the database server, called 'DBSG'. For inbound rules, you add a single rule that allows MySQL (port 3306) from the WebSG security group (not from an IP address, but using the security group ID). This means only instances that have the WebSG attached can send traffic to the database on port 3306.
You do not add any SSH rule for the database, so you cannot directly SSH into it from anywhere. Outbound traffic is left as default all traffic. Now, when you attach WebSG to the web server instance and DBSG to the database instance, the setup works: customers can browse the website, and the web server can retrieve product data from the database.
If a hacker tries to directly access the database from the internet, the request is dropped because there is no inbound rule allowing traffic from 0.0.0.0/0 on any port. Even if the hacker finds the database server's IP address, the security group blocks them.
This scenario illustrates the proper use of security groups to enforce the principle of least privilege: each resource only has the access it absolutely needs. In an exam, you might be asked to identify the correct rules for this scenario. The key point is to use the security group reference for the database inbound rule, not an IP address, because the web server IP might change if the instance is stopped and started or if an auto scaling group launches new instances.
By referencing the security group, you ensure that any instance with the correct security group can communicate with the database, regardless of its IP address.
Common Mistakes
Thinking security groups are stateless like network ACLs.
Security groups are stateful, meaning they automatically allow return traffic for an allowed inbound request. NACLs are stateless and require separate rules for inbound and outbound traffic. Confusing the two leads to over-complicated rule design or incorrect troubleshooting.
Remember that if you allow an inbound connection, the response is automatically allowed outbound. You only need outbound rules for new connections initiated from within the instance.
Creating deny rules in a security group.
Security groups only support allow rules. There is no way to explicitly deny traffic. If traffic is not allowed, it is implicitly denied. Trying to create a deny rule will result in an error or a useless rule.
Use network ACLs if you need explicit deny functionality. With security groups, simply do not add an allow rule for the traffic you want to block.
Opening all ports to the internet (0.0.0.0/0) for convenience.
Allowing all inbound traffic from any IP address on all ports (e.g., 0.0.0.0/0 on ports 0-65535) exposes your instance to potential attacks, scanning, and unauthorized access. This is a severe security risk.
Only open the specific ports that are needed for your application, and restrict the source IP range as much as possible. For example, allow SSH only from your office IP range, and allow HTTP/HTTPS from 0.0.0.0/0 only if your application is meant to be public.
Confusing security groups with network ACLs when troubleshooting connectivity.
If an instance cannot communicate, learners often check only NACL rules and forget that security groups also affect traffic. Since security groups are attached to the instance itself, they must be checked as well.
When troubleshooting connectivity, check both the security group attached to the source and destination instances, as well as the NACL rules for the subnets. Security groups operate at the instance level, NACLs at the subnet level.
Not updating security group rules after changing instance IP addresses.
If you use a specific IP address as a source in a security group rule, and the source instance later gets a new IP (e.g., after a stop/start), the rule no longer works. This causes connectivity failures.
Use security group IDs as the source in security group rules whenever possible, especially for inter-instance communication. This way, the rule remains valid even if the instance IP changes.
Assuming that multiple security groups are evaluated in a specific order.
When an instance has multiple security groups, all rules from all groups are evaluated together. There is no priority order; if any rule allows the traffic, it is permitted. Some learners think the first matching rule applies or that they can override rules from another group.
Understand that the effective rules are the union of all rules from all attached security groups. If you need to block traffic, you cannot do it with security groups alone; use a NACL for explicit denial.
Forgetting that security groups are regional and VPC-specific.
A security group created in one region or one VPC cannot be used in another region or VPC. Learners sometimes try to reference a security group from a different region, which results in an error. This is important when working with cross-region architectures.
Create separate security groups in each region and each VPC. If you need to reference resources across VPCs, consider VPC peering or Transit Gateway, but you still need to create security groups in the destination region or VPC.
Exam Trap — Don't Get Fooled
{"trap":"A question states: 'An EC2 instance has a security group that allows inbound SSH from 203.0.113.0/24. A network ACL allows all inbound and outbound traffic. A user from IP 203.
0.113.50 cannot connect to the instance via SSH. What is the most likely cause?'","why_learners_choose_it":"Learners often jump to the conclusion that the security group is misconfigured because they see the SSH rule, but they might assume that the rule is miswritten or that the source is wrong.
They might also blame the network ACL because they forget that NACLs are stateless.","how_to_avoid_it":"First, note that the security group allows SSH from the /24 range, which includes 203.0.
113.50. So the inbound rule is fine. The network ACL allows all inbound and outbound traffic, so it is not blocking. The issue is likely outbound traffic. For SSH, the server needs to send a response back to the client.
If the outbound network ACL is stateless and only allows all traffic inbound, it might still have a rule that blocks outbound traffic for ephemeral ports. But wait, the NACL allows all inbound and outbound traffic, so that is not an issue. However, the real trap is that the security group is stateful, so outbound response is allowed automatically.
So the problem is not the security group. The most likely cause is that the user is trying to connect to the wrong IP address or the instance is not running. But the exam trap might be that the user's IP is not actually in the 203.
0.113.0/24 range? Actually, it is. Another trap could be that the security group is attached to the instance, but there is a different security group also attached that blocks SSH.
But the question says the security group allows inbound SSH from that range. Actually, the clever trap is to make you think about the network ACL being stateless: if the NACL allows all inbound and outbound, it's fine. The most realistic trap is that the user is trying to connect from a subnet that has an NACL that blocks outbound traffic on ephemeral ports, but the question says the NACL allows all traffic.
So the correct answer is likely something else, like the instance does not have an SSH server running, or the user is using the wrong key pair. In exam context, the common trap is that learners forget that security groups are stateful and assume they need an outbound rule. But here outbound is all allowed.
So the trick is actually to check if the security group rule for SSH uses the correct port (22). If the rule is for port 22 but the user is trying to connect on a different port, that could be the issue. Alternatively, the trap could be that the security group rule is for TCP 22, but the user is using a different protocol.
Another common trap is that the source is specified as a security group ID instead of a CIDR, but in this case it is CIDR. The most effective trap is to make the learner think the problem is the security group when it is actually a missing outbound NACL rule. But since the NACL allows all, that's not it.
So the trap is that the learner will incorrectly say the security group is missing an outbound rule, but outbound is stateful. The correct answer to avoid the trap is to realize that the security group is configured correctly, and the issue may be on the client side or the instance state. However, exam traps often focus on the stateful nature: the response is allowed automatically, so no outbound rule is needed.
The trap answer choices might include 'The security group needs an outbound rule to allow SSH traffic' which is wrong. By remembering statefulness, you can avoid that trap."
Commonly Confused With
A network ACL is a stateless firewall that operates at the subnet level, while a security group is a stateful firewall at the instance level. NACLs support both allow and deny rules and are evaluated in numerical order. Security groups only support allow rules and all rules are evaluated together. NACLs are used for broad subnet-wide control, while security groups are for granular instance-level control.
If you want to block a specific IP address from accessing any resource in a subnet, you would use a NACL with a deny rule. If you want to allow SSH from only one IP to a specific server, you use a security group.
AWS WAF protects web applications from common web exploits like SQL injection and cross-site scripting at the application layer (Layer 7), while security groups work at the network layer (Layer 3 and 4) controlling IP addresses and ports. They serve different purposes and can work together for defense in depth.
A security group can allow HTTP traffic on port 80 from the internet, but AWS WAF can inspect that traffic and block requests that contain malicious SQL commands.
In Azure, the equivalent is called a Network Security Group (NSG). While NSGs can be either stateful or stateless (depending on configuration and context), AWS security groups are always stateful. NSGs support both allow and deny rules, whereas AWS security groups only allow. Both operate at the network layer but with these key differences.
In AWS, if you allow inbound traffic on port 80, the response is automatically allowed. In Azure, an NSG rule must be created to allow the response traffic if the NSG is configured as stateless, or it can be stateful in some scenarios (like with Azure Firewall).
Azure Application Security Groups (ASGs) are used to group virtual machines and define network security policies based on application workloads, similar to using security group IDs as sources in AWS security groups. However, ASGs are a separate resource in Azure that are then referenced in NSG rules, whereas in AWS you can directly reference another security group in a rule. Both aim to simplify security management based on logical groupings.
In AWS, you can create a security group for your web servers and then reference that security group ID in the database security group's inbound rule. In Azure, you would create an ASG for your web servers and then create an NSG rule that uses that ASG as the source.
AWS Network Firewall and Azure Firewall are managed firewall services that provide deep packet inspection, intrusion prevention, and traffic filtering at the network and application layers. They are more comprehensive than security groups, which only do simple stateful filtering based on IP, port, and protocol. These firewalls are used for centralized, advanced protection across multiple VPCs or subscriptions.
You might use a security group to allow HTTP traffic to a web server, but you would use AWS Network Firewall to inspect that HTTP traffic for malware and enforce URL filtering rules across the entire VPC.
Security Group Basics and Stateful Filtering
A security group in AWS acts as a virtual firewall for an Amazon Elastic Compute Cloud instance or other resources such as an Elastic Load Balancer or an Amazon Relational Database Service instance. Security groups operate at the instance level rather than at the subnet level, which means they control inbound and outbound traffic at the network interface of the resource. This granular control allows for highly specific traffic rules tailored to individual workloads.
One of the most critical concepts to understand about security groups is that they are stateful. Stateful filtering means that if you allow inbound traffic from a specific source IP address and port, the return traffic for that connection is automatically allowed, regardless of any outbound rules. This is a major difference from network access control lists, which are stateless and require explicit rules for both inbound and outbound traffic. In practice, this means that when you create an inbound rule to allow SSH traffic on port 22 from your office IP, you do not need a corresponding outbound rule to allow the response packets back to your machine. The stateful nature simplifies rule management but also introduces a security consideration: you must be careful about what outbound traffic you allow because any allowed outbound traffic will have its return traffic permitted automatically.
Security groups have a default behavior: they deny all inbound traffic unless explicitly allowed, and they allow all outbound traffic by default. The default outbound allow is a common source of confusion and is often tested in certification exams. Many architects choose to modify the default outbound rules to be more restrictive, especially in environments with strict compliance requirements. However, changing the outbound rules can break connectivity for software updates, DNS resolution, or communication with other services. For example, if you lock down outbound traffic to only specific ports and destinations, your instance may fail to pull updates from Amazon Linux repositories or resolve hostnames via Amazon Route 53.
Each security group can have up to 60 inbound rules and 60 outbound rules, and you can attach up to five security groups to a single network interface. The rules are evaluated collectively: if any security group attached to the interface allows the traffic, it is permitted. This evaluation order is crucial for designing layered security. When multiple security groups are attached, the least restrictive rule wins, so you cannot use multiple groups to create a more restrictive overall policy than the permissive rules allow.
Security groups are region-specific and VPC-specific. They cannot be used across regions or across VPCs unless you replicate them manually. They also support referencing other security groups as sources or destinations, which enables dynamic scaling and group-based policies. For example, you can create a security group for your web servers and allow inbound HTTP traffic from a security group assigned to your load balancer. This way, when you launch new web server instances, they automatically inherit the correct rules without needing to know the IP addresses of the load balancer. Security group references are resolved at the time of rule evaluation, so they work across Availability Zones within the same VPC.
Understanding the stateful nature and the default outbound allow is essential for passing the AWS Certified Cloud Practitioner and AWS Certified Solutions Architect Associate exams. Exam questions often present scenarios where an engineer changes outbound rules and wonders why certain traffic is blocked or allowed. The correct answer usually hinges on the fact that security groups are stateful and that the return traffic for an allowed inbound connection is always permitted.
Security Group Rule Evaluation and Limits
Security group rules are evaluated in a specific manner that is important for both configuration and troubleshooting. Each rule consists of a protocol, port range, and source (for inbound rules) or destination (for outbound rules). When a packet arrives at the network interface, AWS evaluates all inbound rules across all security groups attached to that interface. If any rule allows the traffic, the packet is accepted. If no rule allows it, the packet is dropped. This is a fundamental difference from network access control lists, which evaluate rules in order and stop at the first match. Security group rules have no order; they are all considered simultaneously.
There are several limits that candidates must know for the AWS Certified SysOps Administrator Associate exam. The soft limit for security groups per VPC is 500, though this can be increased by requesting a service limit increase. Each security group can have up to 60 inbound and 60 outbound rules. You can attach up to five security groups to an Elastic Network Interface. If you need more than 60 rules, you can either attach additional security groups or use prefix lists to condense multiple CIDR blocks into a single rule. Prefix lists are managed by AWS or by the customer and can contain up to 100 entries per list, with a limit of 100 prefix lists per account per region.
Another important limit is the number of rules that reference other security groups. There is no hard limit on security group references, but each rule that references a security group counts against the 60-rule limit per direction. When you reference another security group, AWS dynamically resolves the private IP addresses of all instances that are associated with that security group at the moment of evaluation. This means that as instances launch or terminate, the security group rules automatically adapt without requiring you to update the rules. This dynamic behavior is a key advantage for auto-scaling environments.
Security groups also have a limit on the total number of rules per network interface. Since you can attach five security groups to an interface, the theoretical maximum number of rules that can affect that interface is 300 inbound and 300 outbound (five groups times 60 rules). In practice, however, you should avoid reaching these limits because it increases latency for rule evaluation and makes troubleshooting more difficult.
Exam questions frequently test the concept of rule evaluation order. A common scenario is a configuration where one security group allows SSH from a specific IP, and another security group attached to the same instance denies SSH from that same IP. Since security groups only support allow rules and not deny rules, the deny is not possible. The only way to block traffic is to remove the allow rule. Therefore, any question that suggests a security group can explicitly deny traffic is incorrect. This is a classic trick used in the AZ-104 and Security+ exams when comparing Azure network security groups to AWS security groups.
Finally, there is a limit on the number of rules that can be applied to a security group when using security group references across peered VPCs. In a VPC peering connection, you can reference security groups from the peer VPC only if the security group is in the same region. Cross-region peering does not support security group references. This limitation is frequently tested in the AWS Solutions Architect Professional exam.
Understanding these limits and evaluation behaviors is not just exam knowledge; it is critical for designing scalable and secure architectures. For example, if you design an application that uses multiple security groups to segment traffic, you must ensure that you do not exceed the five-group limit per interface. Similarly, if you use security group references for auto-scaling, you must be aware that the reference resolution can take a few seconds during instance launch, which may cause brief connectivity issues.
Security Group Cost and Management
One of the most common misconceptions about security groups is that they incur direct costs. In reality, security groups themselves are free to create and use. There is no charge for the number of security groups you create, nor for the number of rules you define. However, security groups can indirectly affect your AWS costs in several ways that are important for both the AWS Cloud Practitioner and the AWS SysOps Administrator exams.
First, misconfigured security groups can lead to increased data transfer costs. For example, if you have overly permissive outbound rules that allow traffic to the internet, instances may be able to download large updates or send data to external services without your knowledge, incurring data transfer out charges. Similarly, if you allow inbound traffic from too wide a range of IP addresses, you may be billed for unwanted traffic that ties up instance resources, though AWS does not charge for inbound data transfer. The indirect cost comes from the need to scale your instances to handle that traffic.
Second, security groups can affect the cost of managed services like Application Load Balancers and Amazon RDS. Each of these services has a limit on the number of security groups you can attach, and exceeding that limit may require you to use alternative configurations that are more expensive. For example, if you need more than five security groups on an Application Load Balancer, you might need to use multiple load balancers, which doubles the hourly cost. For this reason, architects often consolidate rules into fewer security groups to stay within limits and avoid unnecessary costs.
Third, security group management can become a source of operational overhead. In large organizations with hundreds of security groups, manually managing rules leads to configuration drift and human error. This often results in overly permissive rules that increase the attack surface and potentially lead to security incidents that could have been avoided. The cost of such incidents can be significant, including data breach notification costs, forensic analysis, and lost business. AWS Config and AWS Firewall Manager can help manage security groups at scale, but these services have their own costs. AWS Config charges per configuration item recorded, and Firewall Manager charges per policy per region. Understanding these associated costs is key to the cost optimization sections of the AWS Certified Solutions Architect Associate exam.
Another indirect cost consideration is the use of security groups for network segmentation versus using VPC subnetting or AWS Network Firewall. While security groups are free, they operate at the instance level and are less efficient for large-scale segmentation compared to subnet-level controls. If you rely solely on security groups for segmentation, you may end up with a complex web of rules that is difficult to audit. The time spent auditing and updating rules is a labor cost that organizations often overlook. For exam purposes, remember that security groups are free but the operational cost of managing them can be significant.
Finally, security groups can affect the cost of AWS Support. If you repeatedly open support cases because of misconfigured security groups, you may need a higher tier of support, which costs more. In the AWS Cloud Practitioner exam, you may see a scenario where a customer is trying to reduce costs and the correct answer is to simplify security group rules to reduce the need for support cases.
while security groups themselves are free, their misconfiguration leads to higher data transfer costs, increased infrastructure costs from scaling, operational overhead from manual management, and potential incident response costs. Exam questions often ask about cost optimization strategies related to security groups, and the correct answer frequently involves using security group references to reduce rule count, using AWS Firewall Manager to automate rule application, and regularly reviewing rules to remove unused ones.
Security Group Troubleshooting Scenarios
Troubleshooting security group issues is one of the most common tasks for AWS administrators and a frequent topic in certification exams, including the CySA+ and the CompTIA Security+. When an instance is unreachable, the first thing to check is often the security group. However, because security groups are stateful and have complex evaluation rules, troubleshooting requires a systematic approach.
The most common symptom is that an instance is not responding to SSH or RDP connections despite having an inbound rule that appears to allow that traffic. The first step in troubleshooting is to verify that the security group rule is actually applied to the instance. You can do this by checking the instance's description in the Amazon EC2 console under the Security tab. It lists all security groups attached to the primary Elastic Network Interface. Often, the issue is that the rule was added to a security group that is not attached to the instance, or the instance was launched with a different security group than intended.
Another frequent issue is that the rule specifies the wrong source IP address. For example, you may have added your home IP address, but your ISP assigns a dynamic IP that changes periodically. A symptom of this is that SSH works from some locations but not others. The solution is to use a more flexible CIDR range or to use AWS Systems Manager Session Manager, which does not require inbound SSH rules. In exams, this scenario is used to test your understanding of how source IP addresses affect connectivity.
A more subtle issue occurs when the security group reference is misconfigured. Suppose you allow inbound HTTP traffic from a security group assigned to your load balancer, but your web servers are still unreachable. The problem might be that the load balancer's security group does not have any instances associated with it, or the instances in the source security group are in a different VPC and the reference is not supported. Security group references only work within the same VPC or across peered VPCs in the same region. Cross-region peering does not support security group references. This scenario is common in the AWS Certified Solutions Architect Associate exam.
Outbound traffic issues are also common. For example, an instance cannot download packages from the internet. The default outbound rule allows all traffic, but if an administrator has modified the outbound rules to be more restrictive, the instance might be blocked. Typically, the instance needs outbound access on port 443 for HTTPS and port 80 for HTTP to reach AWS service endpoints. DNS resolution requires UDP port 53 outbound. If the outbound rules are too restrictive, the instance fails to resolve DNS, which causes further connectivity issues. Exams often present this as a scenario where an instance can reach some services but not others, and the correct answer is to check the outbound security group rules.
Another troubleshooting clue is related to the order of evaluation for multiple security groups. If you have two security groups attached, one allowing SSH from IP 1.2.3.4 and another denying SSH from that same IP, the traffic is still allowed because security groups only support allow rules. The only way to block traffic is to remove the allow rule. This concept is often tested in the AZ-104 exam when comparing to Azure network security groups, which support both allow and deny rules.
Finally, a classic problem is that the instance is in a public subnet and has a public IP address, but it still cannot be reached from the internet. The security group may allow inbound traffic, but the VPC's route table might not have a route to an internet gateway, or the internet gateway might not be attached to the VPC. In this case, the security group is not the issue, and the problem lies in the networking layer. Exam questions often combine security group issues with route table misconfigurations to test your ability to isolate problems across multiple AWS services.
Troubleshooting Clues
SSH timeout from a specific IP
Symptom: SSH connection hangs and eventually times out when connecting from a particular office IP but works from other locations.
The inbound rule likely specifies the wrong source IP or CIDR. The administrator may have added the public IP address, but the office uses NAT, so the source IP seen by AWS is the NAT gateway's public IP, not the client's IP. Alternatively, the dynamic IP may have changed.
Exam clue: Exam questions present a scenario where an administrator adds their workstation IP to a security group but still cannot connect. The correct answer is usually that the source IP is behind a NAT gateway or that the IP address changed.
Instance cannot reach the internet
Symptom: The instance fails to download packages or access AWS service endpoints. Internal communication within the VPC works fine.
The outbound rules have been modified from the default allow-all. The instance needs outbound rules for HTTPS (TCP 443), HTTP (TCP 80), and DNS (UDP 53). If any of these are missing, external access fails.
Exam clue: The exam often tests the default outbound behavior. If the question says the outbound rules were locked down but no rules were added for HTTPS and DNS, the answer is to add those specific outbound rules.
Load balancer health checks failing
Symptom: The load balancer shows target instances as unhealthy, but the instances are running and can be reached directly from the administrator's machine.
The security group attached to the instances does not allow traffic from the load balancer's security group. The load balancer sends health check requests from its own source IPs or from the security group of the load balancer. You must add an inbound rule that references the load balancer's security group as the source.
Exam clue: This is a classic exam scenario. The correct answer is to add an inbound rule with the source set to the load balancer's security group ID, not the load balancer's IP addresses.
Cross-region peering connectivity failure
Symptom: Instances in two peered VPCs in different regions cannot communicate even though security group rules appear correct.
Security group references are not supported in cross-region VPC peering. You must use CIDR-based rules instead. The security group rule that references a group in another region will never match traffic.
Exam clue: Exam questions highlight that security group references only work within the same region. For cross-region peering, you must use IP addresses or CIDR blocks.
Multiple security groups causing unexpected access
Symptom: An instance that should be locked down is reachable on a port that no attached security group explicitly allows.
The instance may have an additional security group attached that the administrator forgot about. Security groups are evaluated collectively, and any allow rule in any attached group will permit the traffic. Check all attached groups.
Exam clue: Exam questions test that you cannot use multiple security groups to deny traffic; only allow rules exist. The solution is to review all attached security groups and remove the one with the permissive rule.
Unable to delete a security group
Symptom: The delete operation fails with an error indicating the security group is referenced by another rule.
Another security group has a rule that references this security group as a source or destination. You must first remove those referencing rules before you can delete the group. AWS does not allow deleting a security group that is in use by another rule.
Exam clue: Exam scenarios ask why a security group cannot be deleted. The answer is that it is referenced by another security group's rule. You must revoke the referencing rule first.
Security group rule count limit reached
Symptom: When trying to add a rule, the AWS Management Console shows an error: 'Rule quota exceeded'.
Each security group can have a maximum of 60 inbound and 60 outbound rules. The limit cannot be increased per security group. You must either consolidate rules using larger CIDR blocks, use prefix lists, or attach an additional security group to the interface.
Exam clue: Exam questions test the 60-rule limit. A common answer is to use a prefix list to condense multiple CIDR blocks into one rule.
Learn This Topic Fully
This glossary page explains what Security group means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →CISSPCISSP →CS0-003CompTIA CySA+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →CLF-C02CLF-C02 →SY0-701CompTIA Security+ →SAA-C03SAA-C03 →SOA-C02SOA-C02 →N10-009CompTIA Network+ →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →XK0-006CompTIA Linux+ →PCAGoogle PCA →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Access control is the security practice of determining who or what is allowed to view, use, or enter a resource, and under what conditions.
An access review is a periodic audit process where administrators check and confirm which users have permissions to what resources, ensuring only authorized people retain access.
An Administrative unit is a container in Microsoft Entra ID that allows you to delegate administrative permissions over a subset of users, groups, or devices, rather than the entire directory.
An Alias record is a DNS record type that maps a hostname to another hostname, seamlessly routing traffic to AWS resources like load balancers or CloudFront distributions.
Amazon EC2 is a web service that lets you rent virtual computers in the cloud to run your own applications and workloads.
An Amazon Machine Image (AMI) is a pre-configured template used to launch virtual servers (EC2 instances) in Amazon Web Services, including the operating system, software, and settings.
Quick Knowledge Check
1.Which of the following best describes the stateful nature of an AWS security group?
2.An Amazon EC2 instance in a VPC cannot download packages from the internet, but it can communicate with other instances in the same subnet. What is the most likely cause?
3.An administrator needs to allow all instances in the 'WebServer-SG' security group to communicate with instances in the 'AppServer-SG' security group on TCP port 3306. What is the most scalable way to configure this?
4.A security engineer cannot delete a security group because the console says 'The security group is referenced by another security group'. What should the engineer do first?
5.Which of the following is a limitation of using security groups in a VPC peering configuration?