Securing EC2 applications

http://www.cloudiquity.com/2009/02/securing-distributed-applications-on-ec2/
    * The default mode is to deny access, you have to explicitly open ports to allow for inbound network traffic

    * If no security group is specified a special default group is assigned to the instance. This group allows all network traffic from other members of this group and discards traffic from other IP addresses and groups. You can change settings for this group

    * You can assign multiple security groups to an AMI instance.

    * The security groups for an instance are set at launch time and can not be changed. You can dynamically modify the rules in a security group and the new rules are automatically enforced for all running and future instance, there may be a small delay depending on the number of instances

    * You can control access either from  named security groups or source IP address range. You can specify the protocol(TCP, UDP, or ICMP) , individual ports or port range to open
    * You can allow access to other users security groups using user-group pair

    * The current API (Amazon EC2 on 2008-12-17) does not support port ranges for security group using command line tools or Query API, you will need to use SOAP API

    * An account can have a maximum of 100 security groups

    * Security groups are just access rules applied to a single or collection of instances, if two instances are part of the same security group this does not afford them any special access between them.

    * An instance running in promiscuous can not sniff any traffic intended for a different instance.
    * A running instance cannot change security group access rules. You need access keys or X 509 key to authorize change.

    * In the instance you can get the security group information from the instance meta-data (curl http://169.254.169.254/1.0/meta-data/security-groups)