Amazon Virtual Private Cloud provides features that can be used to increase and monitor the security of your virtual private cloud (VPC)

• Security groups: Amazon EC2 instances use Security groups as a firewall to control both inbound and outbound traffic. At the time of launching an EC2 Instance, one or more security groups (either newly or previously created) may be associated. Each EC2 instance may belong to a different set of security groups. An instance is automatically associated with the default security group for the VPC if you don't specify a security group explicitly.
• Network access control lists (ACLs): Network ACLs are firewall for the associated subnets, which is used to control both inbound and outbound traffic at the subnet level.
• Flow logs: Flow logs work at the interface level and is used to capture IP traffic information, going to and from network interfaces. Flow log can be created for a VPC, subnet, or individual network interface. Flow log data is published and available in CloudWatch Logs or Amazon S3.
• Traffic mirroring: Network traffic can be copied from an Elastic Network Interface (ENI) of an Amazon EC2 instance. The captured traffic can be sent to out-of-band security and monitoring appliances.

AWS Identity and Access Management (IAM) will provide the essential information in an organization regarding the user, who is responsible to create and manage security groups, network ACLs, and flow logs. For example, the network administrators in an organization may be assigned these rights, instated to other personnel, who only need to manage instances.

Amazon security groups and network ACLs may not be used filter traffic destined to and from the following services:

• Domain Name Services
• Dynamic Host Configuration Protocol
• EC2 instance metadata
• Windows license activation
• Time Sync Service
• Reserved IP address of the default VPC router