What it is: A stateful virtual firewall for instances (and some other ENIs).

What it’s for:

• Control inbound/outbound traffic at the resource level.
• Allow only required ports/protocols (least privilege networking).

Key ideas:

• Stateful: if inbound is allowed, the return traffic is automatically allowed.
• Rules are allow-only (no explicit deny rules in SG).
• You can reference other security groups as source/destination.

Exam cues:

• “open port 443 to the world” → SG inbound allow 443 from 0.0.0.0/0.
• “allow app servers to talk to DB only” → DB SG allows inbound from App SG.

Hard words:

• *stateful* /ˈsteɪtfəl/: có trạng thái (tự cho phép traffic phản hồi)
• *firewall* /ˈfaɪərˌwɔːl/: tường lửa
• *protocol* /ˈproʊtəkɔːl/: giao thức