Concepts
A security group is a named collection of access rules. These access rules specify which ingress, i.e. incoming, network traffic should be delivered to your instance. All other ingress traffic will be discarded.
A group's rules may be modified at any time. The new rules are automatically enforced for all running, as well as for subsequently launched, instances affected by the change in rules.
Note: Currently there is a limit of one hundred rules per group.
When an AMI instance is launched it may be assigned membership to any number of groups.
If no groups are specified, the instance is assigned to the "default" group. This group can be modified, by you, like any other group you have created. Be default, this group allows all network traffic from other members of the "default" group and discards traffic from other IP addresses and groups.
The access rules define source based access either for named security groups or for IP addresses, i.e. CIDRs. For CIDRs you may also specify the protocol and port range (or ICMP type/code).