- Cloud & AWS Fundamentals
- What is Cloud Computing
- Cloud Service Models: IaaS, PaaS, SaaS
- Deployment Models: Public, Private, Hybrid
- AWS Global Infrastructure (Regions, AZs, Edge Locations)
- IAM, Accounts, Billing
- Identity & Access Management (IAM)
- Amazon EC2 β Virtual Servers
- EC2 Instances
- AMI, Instance Types
- Security Groups, Key Pairs
- Elastic IP
- EC2 Pricing
- Auto Scaling
- Load Balancer (ALB, NLB, CLB)
- Hands-on Activities: Launch an EC2 instance, Host a website, Set up auto-scaling group
- Amazon S3 β Storage
- Buckets, Objects
- Versioning
- Lifecycle Policies
- S3 Storage Classes
- S3 Encryption
- Static Website Hosting
- Transfer Acceleration
- Object Lock
- Hands-on Activities: Host static website, Automate backup using lifecycle rules
- Databases
- RDS
- DynamoDB
- Aurora
- Networking & Security
- VPC (Virtual Private Cloud)
- Hands-on: Create custom VPC, Deploy public & private EC2
- Route 53
- Serverless Computing
- AWS Lambda
- API Gateway
- Step Functions
- Containers & Orchestration
- ECS
- EKS
- Docker Basics
- DevOps on AWS
- CI/CD pipelines
- CodeCommit
- CodeBuild
- CodeDeploy
- CodePipeline
- Infrastructure as Code β CloudFormation
- AWS Systems Manager
- Monitoring β CloudWatch
- Logging β CloudTrail
- AWS Cloud Security
- AWS WAF
- Shield
- KMS
- Secrets Manager
- Certificate Manager
- Best Security Practices
- Big Data & Analytics
- Amazon Redshift
- Kinesis
- EMR
- Athena
- Glue
- Data Lake concepts
- Machine Learning on AWS (Basics)
- Amazon SageMaker
- Rekognition
- Polly
- Textract
- Comprehend
- Automation & Infrastructure Tools
- Terraform
- CloudFormation
- CDK
- AWS Cost Management
- Cost Explorer
- Trusted Advisor
- Budgets
- Pricing Models
- Reserved Instances
- AWs - Conclusion
Security Groups, Key Pairs
Security Groups and Key Pairs
Amazon Web Services (AWS) provides a wide range of security tools and access control mechanisms that help users protect their cloud resources. Two of the most essential components of AWS EC2 security are Security Groups and Key Pairs. Understanding these is crucial for cloud engineers, AWS administrators, students preparing for AWS certifications, and individuals working on real-world cloud deployments.
This document contains detailed and structured notes explaining the concept, purpose, use cases, configuration, best practices, troubleshooting, and examples of Security Groups and Key Pairs. It is written using SEO-friendly keywords, ensuring maximum reach and relevance for users searching for AWS security concepts, EC2 access management, cloud security fundamentals, cloud firewall concepts, and network access control in AWS.
1. Introduction to EC2 Security Components
When you launch EC2 instances in AWS, two fundamental security features are typically configured:
- Security Groups β Virtual firewalls controlling inbound and outbound traffic.
- Key Pairs β Cryptographic credentials used for secure login to Linux or Windows instances.
These features ensure that only authorized users can access EC2 servers and only permitted network traffic can enter or leave the instance. While both Security Groups and Key Pairs are associated with EC2, they serve very different yet important purposes in cloud security frameworks.
2. Understanding AWS Security Groups
2.1 What Are Security Groups?
A Security Group is a stateful virtual firewall attached to AWS resources such as EC2 instances, RDS databases, ENIs (Elastic Network Interfaces), Load Balancers, and more. Security Groups define rules that control traffic based on:
- Source IP address or CIDR
- Destination port number
- Protocol (TCP, UDP, ICMP, etc.)
- Security Group IDs (allowing SG-to-SG communication)
Security Groups operate at the instance level, not the subnet level, and they filter traffic before it reaches the instance.
2.2 Key Characteristics of Security Groups
Security Groups have multiple important characteristics that differentiate them from other firewall mechanisms:
- Stateful β Responses to allowed inbound traffic are automatically allowed outbound.
- Deny by default β No inbound traffic is allowed unless explicitly permitted.
- Allow rules only β You cannot create deny rules.
- Multiple SGs per instance β An EC2 instance can belong to up to five security groups.
- Multiple rules per SG β A security group can contain numerous rules.
- Applied automatically β Rule changes apply immediately without rebooting the server.
2.3 Inbound and Outbound Rules in Security Groups
Inbound Rules
Inbound rules allow traffic to reach your instance. Example use cases:
- Allow SSH (port 22) only for admin IP
- Allow HTTPS traffic from all users
- Allow database access only from the application server security group
Outbound Rules
Outbound rules let traffic leave your instance. For example:
- Allow server to download updates from the internet
- Allow communication to a database
- Allow logging information to be sent to monitoring tools
2.4 Example Security Group Rules
Inbound Rules:
----------------------------------------------------
Type Protocol Port Range Source
SSH TCP 22 203.110.5.10/32
HTTP TCP 80 0.0.0.0/0
HTTPS TCP 443 0.0.0.0/0
MYSQL TCP 3306 sg-appserver
Outbound Rules:
----------------------------------------------------
Type Protocol Port Range Destination
All All All 0.0.0.0/0
2.5 Security Group Behavior
Security Groups allow incoming traffic only if it matches a rule. If no rule matches the packet, it is automatically denied. Outbound traffic is allowed unless explicitly restricted. Because Security Groups are stateful, if inbound traffic is allowed, the outbound response is automatically allowed, regardless of outbound rule configuration.
Example:
- If SSH inbound rule allows traffic from your laptop, the server can send outbound replies even without an outbound SSH rule.
2.6 Use Cases of Security Groups
- Allowing SSH access for DevOps engineers
- Configuring web servers to accept HTTP/HTTPS traffic
- Restricting database access to application servers
- Allowing internal communication between backend microservices
- Securing Load Balancers and Auto Scaling groups
- Isolating different environments like Development, Testing, and Production
2.7 Best Practices for Security Groups
- Use least-privilege accessβopen only required ports.
- Narrow down sources (avoid 0.0.0.0/0 for SSH).
- Use SG-to-SG rules instead of IP-based rules.
- Use descriptions for rules to maintain clarity.
- Periodically audit unused rules.
- Group resources logically and assign security groups accordingly.
- Enable VPC Flow Logs to monitor traffic patterns.
3. Understanding AWS Key Pairs
3.1 What Are Key Pairs?
Key Pairs are cryptographic credentials used for connecting securely to EC2 instances. They consist of:
- Public Key β Stored by AWS
- Private Key β Downloaded by the user as .pem or .ppk
When you launch an EC2 instance, AWS places the public key on the instance. To log in, you use the private key, which enables secure authentication through SSH (Linux) or RDP (Windows using password decryption).
3.2 Why Are Key Pairs Needed?
- Provide secure login without passwords
- Prevent unauthorized access
- Enable encryption-based authentication
- Ensure secure remote administration
- Allow users to decrypt Windows administrator passwords
AWS Key Pairs replace insecure password-based login methods and protect your EC2 instance from brute-force attacks.
3.3 Types of Key Pairs
- PEM file β Used for Linux SSH
- PPK file β Used for Windows SSH through PuTTY
You can convert PEM to PPK using PuTTYgen.
3.4 Creating Key Pairs in AWS
You can create key pairs using:
- AWS Management Console
- AWS CLI
- AWS SDKs
Example: Create Key Pair Using CLI
aws ec2 create-key-pair --key-name MyKeyPair --query "KeyMaterial" --output text > MyKeyPair.pem
Ensure the file has proper permissions:
chmod 400 MyKeyPair.pem
3.5 Connecting to EC2 Instances Using Key Pairs
Linux Example
ssh -i MyKeyPair.pem ec2-user@ec2-54-23-45-100.compute-1.amazonaws.com
Windows Example
Steps:- Create EC2 instance with Key Pair
- Download RDP file
- Decrypt Administrator password using Key Pair
3.6 What If You Lose the Private Key?
If you lose your private key, AWS cannot help retrieve it. You must create a new keypair and recover access using methods such as:
- Create a new EC2 instance
- Detach the old root volume
- Mount to the new instance
- Replace authorized_keys file
3.7 Best Practices for Key Pairs
- Never share private keys
- Use a secure backup location
- Rotate keys regularly
- Use IAM policies to control access to create key pairs
- Use AWS Systems Manager Session Manager to reduce key dependency
- Use hardware-based key storage solutions like AWS KMS or YubiKey
4. Security Groups vs. Network ACLs (NACLs)
Although both Security Groups and NACLs provide network protection, they function very differently.
| Security Groups | Network ACLs |
|---|---|
| Stateful | Stateless |
| Instance-level | Subnet-level |
| Only allow rules | Allow/Deny rules |
| Automatic response traffic allowed | Response traffic needs explicit allow |
| Easier to manage | More granular |
5. Troubleshooting Security Group and Key Pair Issues
5.1Security Group Issues
- Blocked SSH port 22
- Blocked RDP port 3389
- Incorrect CIDR ranges
- Missing outbound rules
- SG not attached to EC2 instance
5.2 Key Pair Issues
- Incorrect permissions on PEM file
- Wrong username (ec2-user, ubuntu, centos, admin, etc.)
- Lost private key
- Using wrong IP/hostname to connect
6. Use Case Examples
6.1 Web Application Deployment
Security Groups used:
- Web SG: Allow HTTP/HTTPS from internet
- App SG: Allow traffic from Web SG only
- DB SG: Allow traffic from App SG only
Key Pair used for admin access only.
6.2 Production Environment Security
Use key pairs for SSH access and enforce MFA (Multi-Factor Authentication). Use Security Groups to restrict access to known IPs only.
7. Summary
Security Groups and Key Pairs are foundational security components in AWS EC2. Security Groups act as customizable firewalls that control all inbound and outbound network traffic, while Key Pairs provide secure cryptographic access to instances.
Understanding how to configure, audit, and maintain these components is essential for AWS security, cloud engineering, DevOps, and preparation for AWS certification exams such as AWS Cloud Practitioner, AWS Solutions Architect Associate, and SysOps Administrator.
