302 — Security Groups

Intermediate

Create an EC2 security group, add IP-scoped SSH and open HTTP rules, launch a t2.micro, modify rules on a live instance, and clean up — all from the CLI.

Learning Objectives

1
Explain how security groups act as stateful, instance-level virtual firewalls
2
Create a security group in the default VPC using the CLI
3
Add an inbound SSH rule scoped to your own current IP address
4
Add an inbound HTTP rule open to all IP addresses
5
Launch a t2.micro EC2 instance with the custom security group attached
6
Inspect and modify security group rules on a running instance
7
Revoke a rule, terminate the instance, and delete the security group
Step 1

List existing security groups

Display the security groups currently in your account for this region. Every account starts with at least one default security group — one per VPC. Reviewing existing groups helps you avoid naming conflicts and understand the starting baseline.

Commands to Run

aws ec2 describe-security-groups \
  --query "SecurityGroups[*].{Name:GroupName,ID:GroupId,VPC:VpcId,Description:Description}" \
  --output table

What This Does

describe-security-groups returns all security groups in the current region.

The JMESPath projection selects four fields and renames them for readable table output.

You will see at least the default security group that AWS creates automatically for every VPC.

Note its Group ID — it starts with sg-.

The default security group allows all outbound traffic and all inbound traffic from other members of the same group.

Expected Outcome

A table listing at least one row for the default VPC's default security group:
---------------------------------------------------------------------------
|                      DescribeSecurityGroups                            |
+-----------+----------------+----------------------------------+--------+
| Description    | ID            | Name    | VPC                          |
+-----------+----------------+----------------------------------+--------+
| default VPC... | sg-0abc123456 | default | vpc-0a1b2c3d4e5f67890        |
+-----------+----------------+----------------------------------+--------+

Pro Tips

  • 1
    Security group names must be unique within a VPC, but the same name can exist in different VPCs.
  • 2
    The default security group cannot be deleted. You can modify its rules but not remove the group itself.

Common Mistakes to Avoid

  • āš ļøConfusing security group IDs (sg-*) with VPC IDs (vpc-*) — they look similar but are different resource types and are not interchangeable in CLI commands.
Was this step helpful?

All Steps (0 / 11 completed)