When you roll a new service or workload into an AWS deployment, it's important to control and restrict traffic to those new resources. Administrators can perform this task in a variety of ways.
Limit AWS traffic between a workload's constituent components to reduce the potential for malicious activity. For example, a web server should only allow incoming HTTP traffic through port 80, or HTTPS traffic through port 443.
Generally, admins can place a workload behind an Amazon EC2 security group firewall to block unacceptable AWS traffic. Route 53 can also help admins establish traffic policies to redirect end users in the most desired manner.
Similarly, you can secure individual workload components through security groups. For example, a web server rarely operates alone, as it might rely on an application server, database server and storage resource instances to support a workload's needs.
In that case, place the application server into its own security group so that it only accepts Secure Shell connections from a local network and blocks all other outside traffic. You could also configure the application server to only accept connections from the web server, and configure the database server to only accept connections from the application server.