What Securcery is This?
This is deserving of great detail. But for now, I'll just link to this and drop a few notes. Most of the notes are unintuitive gotchas that are not immediately apparent. First, when you create a VPC, you get a default security group for free. If you don't specify security groups when you launch things that need security groups, they automatically get the default security group. And this would all be fine except the default security group is created with rules to allow all inbound and all outbound. So that sucks. You cannot stop it from creating it, all you can do is modify the rules afterwards. And you cannot stop it from creating the VPC either, in every single automatically-enabled region. So AWS leaves you a mess before you even get started. You can use the script in this article, with slight tweaks, to handle the issue for you. If you use Account Factory in Control Tower, you get some control of this (but not enough, since Control Tower isn't available in all regions yet. So anyway, the SGs have all these fun little quirks that you really should be aware of. First thing: responses to inbound traffic are allowed to flow out of the instance regardless of outbound security group rules, and vice versa. Also for protocols other than TCP, UDP, or ICMP, only the IP address and protocol number is tracked. If your instance sends traffic to another host, and the host sends the same type of traffic to your instance within 600 seconds, the security group for your instance accepts it regardless of inbound security group rules. The security group accepts it because it’s regarded as response traffic for the original traffic. That's 10 minutes, an awfully long time. Also changing rules will not sever connections immediately, and could take DAYS to close. Use an ACL to make it immediate. Also note that going from granular rules to broad rules or back can cause connections to drop, become tracked, or become untracked, so be aware of the potential ramifications (or the expected ones, they may not happen). Also note that there is NO WAY to use either SGs or ACLs to block traffic to the +2 VPC address which is the ENI attached to the Route 53 Resolver. Every AZ has one, and no ACL (obviously, it's within the subnet for all subnets) or SG (that's right, even attaching a single SG with no rules at all won't stop it). Only the Route 53 Resolver DNS Firewall can do it.