How Security Groups Filter Traffic

A security group (SG) is a virtual firewall that attaches directly to an elastic network interface (ENI) on a resource such as an EC2 instance, an RDS database, or a load balancer. It controls inbound and outbound traffic at the resource level rather than at the network boundary, so two instances in the same subnet can have very different rules.

Security groups contain allow rules only. There is no way to write an explicit deny. Any traffic that does not match an allow rule is simply dropped. This means you build access by adding the permits you want, and the implicit default is to block everything else.