Bird
Raised Fist0
AWScloud~5 mins

Security group as virtual firewall in AWS - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a security group in AWS?
A security group is like a virtual firewall that controls the traffic allowed to reach your AWS resources, such as EC2 instances. It filters incoming and outgoing network traffic based on rules you set.
Click to reveal answer
beginner
How do security groups control traffic?
Security groups control traffic by using rules that specify allowed protocols, ports, and source or destination IP addresses. Only traffic matching these rules is allowed; everything else is blocked.
Click to reveal answer
intermediate
Can security groups block outgoing traffic by default?
No. By default, security groups allow all outgoing traffic. You must add specific rules to restrict outbound traffic if needed.
Click to reveal answer
beginner
What happens if you don’t add any inbound rules to a security group?
If no inbound rules exist, no incoming traffic is allowed to the resource. This means the resource is effectively isolated from incoming network connections.
Click to reveal answer
intermediate
How are security groups different from network ACLs in AWS?
Security groups act as virtual firewalls at the instance level and are stateful, meaning return traffic is automatically allowed. Network ACLs operate at the subnet level and are stateless, requiring explicit rules for both inbound and outbound traffic.
Click to reveal answer
What type of traffic does a security group control in AWS?
AInbound and outbound traffic
BOnly inbound traffic
COnly outbound traffic
DTraffic between AWS regions
By default, what is the outbound traffic rule in a new security group?
AOnly SSH traffic is allowed
BAll outbound traffic is blocked
COnly HTTP traffic is allowed
DAll outbound traffic is allowed
If you want to allow SSH access to an EC2 instance, which port should you open in the security group inbound rules?
APort 80
BPort 22
CPort 443
DPort 3389
What does it mean that security groups are stateful?
AReturn traffic is automatically allowed
BRules must be set for both inbound and outbound separately
CThey only work within one AWS region
DThey log all traffic automatically
Can you assign multiple security groups to a single EC2 instance?
AOnly if the instance is in a public subnet
BNo, only one security group per instance
CYes, multiple security groups can be assigned
DOnly for instances running Windows
Explain how a security group acts as a virtual firewall in AWS.
Think about how a firewall filters traffic to protect a computer.
You got /5 concepts.
    Describe the difference between security groups and network ACLs in AWS.
    Consider where and how each controls traffic.
    You got /5 concepts.

      Practice

      (1/5)
      1. What is the primary purpose of a security group in AWS?
      easy
      A. To act as a virtual firewall controlling traffic to resources
      B. To store data securely in the cloud
      C. To manage user permissions and roles
      D. To monitor resource usage and billing

      Solution

      1. Step 1: Understand the role of security groups

        Security groups control network traffic to and from AWS resources, acting like firewalls.

      2. Step 2: Differentiate from other AWS services

        Security groups do not store data, manage permissions, or monitor billing; those are other services.

      3. Final Answer:

        To act as a virtual firewall controlling traffic to resources -> Option A

      4. Quick Check:

        Security group = virtual firewall [OK]
      Hint: Security groups control traffic, not data or users [OK]
      Common Mistakes:
      • Confusing security groups with IAM roles
      • Thinking security groups store data
      • Mixing security groups with billing tools
      2. Which of the following is the correct way to allow incoming HTTP traffic on port 80 in a security group ingress rule?
      easy
      A. Protocol: UDP, Port Range: 80, Source: 0.0.0.0/0
      B. Protocol: ICMP, Port Range: 80, Source: 0.0.0.0/0
      C. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
      D. Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0

      Solution

      1. Step 1: Identify the correct protocol and port for HTTP

        HTTP uses TCP protocol on port 80.

      2. Step 2: Confirm the source IP range for open access

        0.0.0.0/0 means allow from any IP address.

      3. Final Answer:

        Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0 -> Option D

      4. Quick Check:

        HTTP = TCP port 80 [OK]
      Hint: HTTP always uses TCP port 80 for ingress [OK]
      Common Mistakes:
      • Using UDP instead of TCP for HTTP
      • Using wrong port like 22 for HTTP
      • Confusing ICMP with TCP/UDP protocols
      3. Given this security group ingress rule: Protocol: TCP, Port Range: 22, Source: 203.0.113.0/24, which of the following IP addresses is allowed to connect via SSH?
      medium
      A. 203.0.114.10
      B. 203.0.113.45
      C. 192.168.1.1
      D. 0.0.0.0

      Solution

      1. Step 1: Understand the CIDR range 203.0.113.0/24

        This range includes all IPs from 203.0.113.0 to 203.0.113.255.

      2. Step 2: Check which IP falls inside this range

        203.0.113.45 is inside the range; others are outside.

      3. Final Answer:

        203.0.113.45 -> Option B

      4. Quick Check:

        IP in 203.0.113.0/24 allowed [OK]
      Hint: Check if IP fits CIDR range to allow access [OK]
      Common Mistakes:
      • Assuming 203.0.114.x is inside 203.0.113.0/24
      • Confusing 0.0.0.0 with a valid IP
      • Not understanding CIDR notation
      4. You created a security group with this ingress rule: Protocol: TCP, Port Range: 443, Source: 0.0.0.0/0. However, HTTPS traffic is still blocked. What is the most likely reason?
      medium
      A. The instance's network ACL blocks port 443
      B. Security groups do not control HTTPS traffic
      C. The source IP range 0.0.0.0/0 is invalid
      D. Port 443 is only for HTTP, not HTTPS

      Solution

      1. Step 1: Confirm security group rule allows HTTPS

        Protocol TCP, port 443, source 0.0.0.0/0 allows HTTPS traffic from anywhere.

      2. Step 2: Identify other network controls

        Network ACLs can block traffic even if security group allows it.

      3. Final Answer:

        The instance's network ACL blocks port 443 -> Option A

      4. Quick Check:

        Network ACL can override security group [OK]
      Hint: Check network ACL if security group allows but traffic blocked [OK]
      Common Mistakes:
      • Thinking security groups don't control HTTPS
      • Believing 0.0.0.0/0 is invalid
      • Confusing port 443 with HTTP port 80
      5. You want to restrict SSH access to your EC2 instance so only your office IP 198.51.100.25 can connect. Which security group ingress rule should you configure?
      hard
      A. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
      B. Protocol: UDP, Port Range: 22, Source: 198.51.100.25/32
      C. Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32
      D. Protocol: TCP, Port Range: 80, Source: 198.51.100.25/32

      Solution

      1. Step 1: Identify correct protocol and port for SSH

        SSH uses TCP protocol on port 22.

      2. Step 2: Restrict source IP to single address

        Use CIDR /32 to specify exactly one IP address (198.51.100.25/32).

      3. Final Answer:

        Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32 -> Option C

      4. Quick Check:

        SSH restricted to one IP with /32 [OK]
      Hint: Use /32 CIDR to allow single IP only [OK]
      Common Mistakes:
      • Allowing all IPs with 0.0.0.0/0
      • Using UDP instead of TCP for SSH
      • Using wrong port like 80 for SSH