The first layer of defense for our instances is the security group. A security group always needs to be applied or created when we spawn a new instance in the AWS EC2 service. The security group acts like a personal stateful firewall sitting right in front of the instance and it provides stateful port filtering capabilities. For instance, when we start a Linux web server, we want to do the following:

• Access the console by establishing an SSH connection on port 22 with the system
• Accept connections on the HTTPS port 443 so secure communication without web server can be established
• Optionally, HTTP can be allowed on port 80 

To allow access to this server, we would simply create a security group and add ports 22, 443, and, optionally, 80 as allowed ports for the TCP protocol from wherever we are communicating with the instance. Any instance that is a member of the security group will become accessible on the ports defined in the policy within the group. Any return traffic from the instance will also be allowed, no matter what the return port is, since the security group works in a stateful manner. By default, all ports are implicitly denied and we need to create an allow rule to open communication on a port and protocol.

Since one instance can be a member of multiple security groups, we can also separate the rules into several security groups, one allowing port 22, one allowing port 443, and one allowing port 80, and then arbitrarily assign these to instances that require them. If traffic is coming from other instances that are members of security groups, we can also simply specify the security group as a source for the traffic and allow communication in a very strict and easily manageable fashion.