VPC security
If you have deployed your resources in a VPC, you are already moving in the right direction. Here we are mostly going to concern ourselves with network security and the tools or features a VPC provides for enhancing it.
Security Groups
These represent our first layer of defense as stated in the AWS documentation. Security Groups (SG) get assigned to EC2 instances (generally speaking) and provide a type of stateful firewall, which supports allow rules only.
They are very flexible and an EC instance can have multiple such groups assigned to it. The rules can be based on host IP addresses, CIDRs or even on other Security Groups, for example, allow inbound HTTP:80 from group ID sg-12345.
Usually, within a VPC we would create an SG per role, such as web server, db, cache. Instances of the same component would then be assigned the respective SG, thus regulating traffic between the different components of a platform.
Tip
It is often tempting to allow traffic based on the VPC CIDR address...
