AWScloud~5 mins

Default security group behavior in AWS - Commands & Configuration

Choose your learning style10 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Start learning this pattern below

Jump into concepts and practice - no test required

Recommended

Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong

Introduction

When you create a new virtual network in AWS, it automatically creates a default security group. This group controls what network traffic is allowed to and from your resources. Understanding its default rules helps keep your resources safe without extra setup.

When you launch a new virtual server (EC2 instance) without specifying a security group.

When you want to quickly test connectivity between instances in the same network.

When you need a simple default firewall that allows communication inside your network but blocks outside access.

When you want to understand why your instance can talk to others by default without extra rules.

When you want to customize security but start from a known safe baseline.

Commands

This command lists the default security groups in your AWS account. It shows their IDs and rules so you can see what traffic is allowed by default.

Terminal

aws ec2 describe-security-groups --filters Name=group-name,Values=default

Expected OutputExpected

{ "SecurityGroups": [ { "Description": "default VPC security group", "GroupName": "default", "IpPermissions": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "GroupId": "sg-0123456789abcdef0", "UserId": "123456789012" } ] } ], "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "GroupId": "sg-0123456789abcdef0", "VpcId": "vpc-0abcdef1234567890", "OwnerId": "123456789012" } ] }

→

--filters - Filters results to show only the default security group by name

This command shows detailed rules of the default security group by its ID. It helps you understand what inbound and outbound traffic is allowed.

Terminal

aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0

Expected OutputExpected

{ "SecurityGroups": [ { "GroupId": "sg-0123456789abcdef0", "GroupName": "default", "Description": "default VPC security group", "IpPermissions": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "GroupId": "sg-0123456789abcdef0", "UserId": "123456789012" } ] } ], "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "VpcId": "vpc-0abcdef1234567890", "OwnerId": "123456789012" } ] }

→

--group-ids - Specifies the security group ID to describe

This command adds a rule to the default security group to allow SSH access from anywhere. It shows how you can customize the default group to allow specific traffic.

Terminal

aws ec2 authorize-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 22 --cidr 0.0.0.0/0

Expected OutputExpected

No output (command runs silently)

→

--group-id - Specifies which security group to update

→

--protocol - Sets the network protocol (tcp)

→

--port - Sets the port number (22 for SSH)

→

--cidr - Defines the allowed IP range (any IP here)

Check the updated rules of the default security group to confirm the new SSH rule is added.

Terminal

aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0

Expected OutputExpected

{ "SecurityGroups": [ { "GroupId": "sg-0123456789abcdef0", "GroupName": "default", "Description": "default VPC security group", "IpPermissions": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "GroupId": "sg-0123456789abcdef0", "UserId": "123456789012" } ] }, { "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "VpcId": "vpc-0abcdef1234567890", "OwnerId": "123456789012" } ] }

→

--group-ids - Specifies the security group ID to describe

Key Concept

If you remember nothing else from this pattern, remember: the default security group allows all outbound traffic and inbound traffic only from resources assigned to the same group.

Common Mistakes

Assuming the default security group allows inbound traffic from any IP by default.

By default, inbound traffic is only allowed from other instances in the same security group, not from the internet.

Explicitly add inbound rules to allow traffic from outside sources if needed.

Deleting the default security group without creating a replacement.

AWS requires a default security group for each VPC; deleting it can cause errors or loss of connectivity.

Modify the default group rules instead of deleting it, or create a new security group and assign it to instances.

Summary

Use 'aws ec2 describe-security-groups' to view the default security group and its rules.

The default security group allows all outbound traffic and inbound traffic only from itself.

You can add rules to the default group to allow specific inbound traffic like SSH.

Practice

(1/5)

1. What is the default behavior of the AWS default security group for inbound traffic?

easy

A. It blocks all inbound traffic by default.

B. It allows inbound traffic from any IP address.

C. It allows inbound traffic only from resources assigned to the same security group.

D. It allows inbound traffic only on port 80.

Default security group behavior in AWS - Commands & Configuration

Start learning this pattern below

Practice

Solution

Step 1: Understand default inbound rules

Step 2: Compare options with default behavior

Final Answer:

Quick Check:

Solution

Step 1: Review default outbound behavior

Step 2: Evaluate each option

Final Answer:

Quick Check:

Solution

Step 1: Recall default inbound rule

Step 2: Analyze each option

Final Answer:

Quick Check:

Solution

Step 1: Understand default security group restrictions

Step 2: Evaluate other options

Final Answer:

Quick Check:

Solution

Step 1: Understand default security group modification limits

Step 2: Best practice for restricting outbound traffic

Final Answer:

Quick Check: