Security Groups Key Details:

• Security groups control inbound and outbound traffic for your instances (they act as a Firewall for EC2 Instances) while NACLs control inbound and outbound traffic for your subnets (they act as a Firewall for Subnets). Security Groups usually control the list of ports that are allowed to be used by your EC2 instances and the NACLs control which network or list of IP addresses can connect to your whole VPC.
• Every time you make a change to a security group, that change occurs immediately
• Security Group rules are based on ALLOWs and there is no concept of DENY when in comes to Security Groups. This means you cannot explicitly deny or blacklist specific ports via Security Groups, you can only implicitly deny them by excluding them in your ALLOWs list
• Because of the above detail, everything is blocked by default. You must go in and intentionally allow access for certain ports.
• Security groups are specific to a single VPC, so you can’t share a Security Group between multiple VPCs. However, you can copy a Security Group to create a new Security Group with the same rules in another VPC for the same AWS Account.
• Security Groups are regional and can span AZs, but can’t be cross-regional.
• You can attach multiple security groups to one EC2 instance and you can have multiple EC2 instances under the umbrella of one security group
• You can specify the source of your security group (basically who is allowed to bypass the virtual firewall) to be a single /32 IP address, an IP range, or even a separate security group.
• You cannot block specific IP addresses with Security Groups (use NACLs instead)
• You can increase your Security Group limit by submitting a request to AWS