The virtual firewall for your instances. Security Groups (SG) control inbound and outbound traffic at the instance level. They are your first line of defense.
If you allow a request to come IN (e.g., Requesting a webpage), the response is automatically allowed OUT. You don't need a separate rule for the reply.
Security Groups deny everything by default. You can only add Allow rules. You cannot explicitly "Deny" a specific IP (use Network ACLs for that).
A cool trick: You can set the source of a rule to be another Security Group ID. Example: "Allow access only if the traffic comes from the Load Balancer SG".
Mission: Configure the Web Server firewall.
1. Allow Web Traffic (Port 80) from Anywhere.
2. Allow SSH (Port 22) ONLY from your Admin IP.
3. BLOCK everything else.
If you leave Port 22 open to the world, bots will start brute-forcing your password within minutes. Always restrict to your IP or use a VPN.
Don't put IPs in your Database SG. Instead, say "Allow traffic from the Web Server SG". If the Web Server IP changes, access still works.