Network Security Concepts
The Amazon EC2 service allows you to dynamically add and remove instances. However, this flexibility can complicate firewall configuration and maintenance which traditionally relies on IP addresses, subnet ranges or DNS host names as the basis for the firewall rules.
The Amazon EC2 firewall allows you to assign your instances to user-defined groups and define firewall rules for these groups. As instances are added or removed, the appropriate rules are enforced. Similarly, if you change a rule for a group, the changes are automatically applied to all members of the group.
A security group is a named collection of access rules. These access rules specify which ingress (i.e., incoming) network traffic should be delivered to your instance. All other ingress traffic will be discarded.
You can modify rules for a group at any time. The new rules are automatically enforced for all running instances and instances launched in the future.
You can create up to 100 security groups.
When you launch an AMI instance, you can assign it to as many groups as you like.
If no groups are specified, the instance is assigned to the
group. By default, this group allows all network traffic from other members of this
group and discards traffic from other IP addresses and groups. If this does not
meet your needs, you can modify the rule settings of the
After an instance is running, the security groups to which it belongs cannot be changed.
Group Access Rights
The access rules define source based access either for named security groups or for IP addresses (i.e., CIDR-based rules). For CIDR-based rules, you can also specify the protocol and port range (or ICMP type and code).