AWS Certified Solutions Architect - Associate (SAA-C02)

Sign Up Free or Log In to participate!

Security Groups and EC2

what happens when an instance has 2 security groups with conflicting rule, like one allow and another denies HTTP?

2 Answers

By default everything is denied “implicit deny”. You can only add allow rules.

The answer to your question is the most permissive rule will be applied. You can check the link below for more details

When Amazon EC2 decides whether to allow traffic to reach an instance, it evaluates all of the rules from all of the security groups that are associated with the instance.

From AWS "If there is more than one rule for a specific port, Amazon EC2 applies the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address, and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22."

More specific to your question however, Security Groups are always permissive. It’s not possible to create a deny rule as you asked, so your specific conflicting rules question is actually not possible. 

To expand on Ankit’s answer then, there actually is no such thing as an Explicit Deny (making this incorrect). As Mourad mentioned however, there is an "implicit" deny. Any possible security group rule is an explicit allow only, and therefore overrules the implicit deny. 

You can read more specifically about it here

Hope this helps!

Ankit Aggarwal

Thanks for correcting me Evan. I miss read the question at first and have deleted my answer now as it was not at all correct.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?