====== Security Group ======

**What it is:** A stateful virtual firewall for instances (and some other ENIs).

**What it’s for:**
  * Control inbound/outbound traffic at the resource level.
  * Allow only required ports/protocols (least privilege networking).

**Key ideas:**
  * **Stateful**: if inbound is allowed, the return traffic is automatically allowed.
  * Rules are **allow-only** (no explicit deny rules in SG).
  * You can reference other security groups as source/destination.

**Exam cues:**
  * “open port 443 to the world” → SG inbound allow 443 from 0.0.0.0/0.
  * “allow app servers to talk to DB only” → DB SG allows inbound from App SG.

**Hard words:**
  * *stateful* /ˈsteɪtfəl/: có trạng thái (tự cho phép traffic phản hồi)
  * *firewall* /ˈfaɪərˌwɔːl/: tường lửa
  * *protocol* /ˈproʊtəkɔːl/: giao thức