0
0
AWScloud~5 mins

Default security group behavior in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
When you create a new virtual network in AWS, it automatically creates a default security group. This group controls what network traffic is allowed to and from your resources. Understanding its default rules helps keep your resources safe without extra setup.
When you launch a new virtual server (EC2 instance) without specifying a security group.
When you want to quickly test connectivity between instances in the same network.
When you need a simple default firewall that allows communication inside your network but blocks outside access.
When you want to understand why your instance can talk to others by default without extra rules.
When you want to customize security but start from a known safe baseline.
Commands
This command lists the default security groups in your AWS account. It shows their IDs and rules so you can see what traffic is allowed by default.
Terminal
aws ec2 describe-security-groups --filters Name=group-name,Values=default
Expected OutputExpected
{ "SecurityGroups": [ { "Description": "default VPC security group", "GroupName": "default", "IpPermissions": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "GroupId": "sg-0123456789abcdef0", "UserId": "123456789012" } ] } ], "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "GroupId": "sg-0123456789abcdef0", "VpcId": "vpc-0abcdef1234567890", "OwnerId": "123456789012" } ] }
--filters - Filters results to show only the default security group by name
This command shows detailed rules of the default security group by its ID. It helps you understand what inbound and outbound traffic is allowed.
Terminal
aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0
Expected OutputExpected
{ "SecurityGroups": [ { "GroupId": "sg-0123456789abcdef0", "GroupName": "default", "Description": "default VPC security group", "IpPermissions": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "GroupId": "sg-0123456789abcdef0", "UserId": "123456789012" } ] } ], "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "VpcId": "vpc-0abcdef1234567890", "OwnerId": "123456789012" } ] }
--group-ids - Specifies the security group ID to describe
This command adds a rule to the default security group to allow SSH access from anywhere. It shows how you can customize the default group to allow specific traffic.
Terminal
aws ec2 authorize-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 22 --cidr 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--group-id - Specifies which security group to update
--protocol - Sets the network protocol (tcp)
--port - Sets the port number (22 for SSH)
--cidr - Defines the allowed IP range (any IP here)
Check the updated rules of the default security group to confirm the new SSH rule is added.
Terminal
aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0
Expected OutputExpected
{ "SecurityGroups": [ { "GroupId": "sg-0123456789abcdef0", "GroupName": "default", "Description": "default VPC security group", "IpPermissions": [ { "IpProtocol": "-1", "UserIdGroupPairs": [ { "GroupId": "sg-0123456789abcdef0", "UserId": "123456789012" } ] }, { "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "VpcId": "vpc-0abcdef1234567890", "OwnerId": "123456789012" } ] }
--group-ids - Specifies the security group ID to describe
Key Concept

If you remember nothing else from this pattern, remember: the default security group allows all outbound traffic and inbound traffic only from resources assigned to the same group.

Common Mistakes
Assuming the default security group allows inbound traffic from any IP by default.
By default, inbound traffic is only allowed from other instances in the same security group, not from the internet.
Explicitly add inbound rules to allow traffic from outside sources if needed.
Deleting the default security group without creating a replacement.
AWS requires a default security group for each VPC; deleting it can cause errors or loss of connectivity.
Modify the default group rules instead of deleting it, or create a new security group and assign it to instances.
Summary
Use 'aws ec2 describe-security-groups' to view the default security group and its rules.
The default security group allows all outbound traffic and inbound traffic only from itself.
You can add rules to the default group to allow specific inbound traffic like SSH.