AWS security groups are associated with EC2 instances, and provide security at the protocol and port access level, much like Network Access Control Lists (NACLs), and as a result, they also work much the same way. Containing a set of rules that filter traffic coming into and out of an EC2 instance, authorizing which communication can occur between instances. However, unlike NACLs, with security groups, there isn't a Deny action for a rule. Instead, if there isn't a rule that explicitly permits a particular packet, it will simply be dropped. The rule set is made up of two rule sets, inbound and outbound.

Security groups are stateful, meaning you do not need the same rules for both inbound and outbound traffic for response traffic, unlike, NACLs, which are stateless. Therefore, any rule that authorizes traffic into an EC2 instance will allow any response to be returned without an explicit rule in the outbound ruleset.

Each rule is comprised of 8 fields: 

1. Name: As expected this allows you to add a name for the rule up to 255 characters in length
2. Security Group Rule ID: This is automatically created and set a unique identifier for the security group rule
3. IP Version: Here you can select which IP version that the security group apples to, V4 or V6
4. Type: This dropdown list allows you to select common protocols like SSH, RDP, HTTP. You can also choose custom protocols. 
5. Protocol: This is typically grayed out, as it's covered by most type choices. However, if you create a custom rule, you can specify your protocol here
6. Port range: This value will also usually be pre-filled, reflecting the default port range for your chosen protocol. However, there might be times when you prefer to use custom ports. 
7. Source: This can be a net or subnet range, a specific IP address, or another AWS security group. You can also leave access open to the entire internet using the Anywhere value. 
8. Description: This simply allows you to add a description for the rule itself

In this screenshot, we can clearly see that authorization is permitted if the source IP address is 94.118.90.66/32 and is using SSH across TCP on port 22. Security groups are a great way to authorize the use of particular ports for communication, whilst restricting all other communication over denied ports.

For example, you could have a number of SQL RDS instances that you want to write to from a group of EC2 instances. In this case, you could create a security group for the SQL RDS instances and another security group for the EC2 instances. You could then authorize communication to happen over specified permitted ports, such as 1433 and 1434, used by SQL, between the two groups. All other communication will be dropped and denied, which in turn enhances security on your AWS infrastructure.

That now brings me to the end of this lecture and to the end of this course.  You should now have a greater understanding of the different methods that AWS implements to authorize access within your AWS account.

If you have any feedback, positive or negative, please send an e-mail to support@cloudacademy.com, your feedback is greatly appreciated.

Thank you for your time and good luck with your continued learning of cloud computing. Thank you.