A security group is a named collection of access rules. These access rules specify which ingress, i.e. incoming, network traffic should be delivered to your instance. All other ingress traffic will be discarded.
A group's rules may be modified at any time. The new rules are automatically enforced for all running, as well as for subsequently launched, instances affected by the change in rules.
Note: Currently there is a limit of one hundred rules per group.
When an AMI instance is launched it may be assigned membership to any number of groups.
If no groups are specified, the instance is assigned to the "default" group. This group can be modified, by you, like any other group you have created. Be default, this group allows all network traffic from other members of the "default" group and discards traffic from other IP addresses and groups.