安全组 是虚拟防火墙,用于控制 AWS 资源(如 EC2 实例)的 入站和出站流量 — 定义允许哪些端口、协议和来源。它们是 AWS 网络安全的基础。
安全组的作用
A SECURITY GROUP is a virtual firewall attached to resources (EC2, RDS, etc.):
→ INBOUND rules — what traffic can REACH the resource (port, protocol, source)
→ OUTBOUND rules — what traffic the resource can SEND OUT
→ only ALLOW rules (no explicit deny); everything not allowed is DENIED by default
→ STATEFUL — if inbound is allowed, the response is automatically allowed back
规则示例
Inbound rules for a web server:
Allow TCP 443 (HTTPS) from 0.0.0.0/0 → anyone can reach HTTPS
Allow TCP 80 (HTTP) from 0.0.0.0/0 → anyone can reach HTTP
Allow TCP 22 (SSH) from <your IP>/32 → ONLY your IP can SSH (not the whole world!)
→ everything else is blocked (default deny)
