Hey there! Great question—this is one of those nuanced details that doesn’t get explicit billing in the official EC2 or VPC security group docs you mentioned, but we can map their behavior directly to the OSI model layers.

AWS Security Groups operate primarily at Layer 3 (Network Layer) and Layer 4 (Transport Layer) of the OSI model. Here’s the breakdown:

• Layer 3 (Network Layer): Security groups filter traffic based on source and destination IP addresses (both IPv4 and IPv6). This includes rules that allow/deny traffic from specific CIDR ranges, other security groups, or AWS service prefixes—all core Layer 3 functions.
• Layer 4 (Transport Layer): They also enforce rules based on transport protocols (TCP, UDP, ICMP) and port numbers. For example, allowing TCP traffic on port 80 for HTTP, or UDP on port 53 for DNS, are classic Layer 4 controls.

It’s important to note that security groups don’t operate at higher layers (like Layer 7, the Application Layer). They can’t inspect or filter traffic based on application-level details like HTTP paths, request headers, or payload content—that’s the domain of tools like AWS WAF.

While the official docs you referenced focus on how to configure security groups rather than explicitly labeling their OSI layers, their core filtering capabilities align perfectly with Layer 3 and 4 functionality.

内容的提问来源于stack exchange，提问作者Žilvinas Rudžionis