diff --git a/project-terraform-aws/_aws-root-sg/_data.tf b/project-terraform-aws/_aws-root-sg/_data.tf
new file mode 100644
index 0000000..43e4145
--- /dev/null
+++ b/project-terraform-aws/_aws-root-sg/_data.tf
@@ -0,0 +1,7 @@
+data "terraform_remote_state" "root_vpc" {
+  backend = "local"
+
+  config = {
+    path = "../__tf_state/_aws-root-vpc/terraform.tfstate"
+  }
+}
diff --git a/project-terraform-aws/_aws-root-sg/_local.tf b/project-terraform-aws/_aws-root-sg/_local.tf
new file mode 100644
index 0000000..a12dcac
--- /dev/null
+++ b/project-terraform-aws/_aws-root-sg/_local.tf
@@ -0,0 +1,13 @@
+locals {
+  environment_common = "common"
+  environment_development = "development"
+  environment_production = "production"
+
+  region_seoul = "ap-northeast-2"
+
+  team_data = "data"
+}
+
+locals {
+  network_range_ssh_whitelist = "0.0.0.0/0"
+}
\ No newline at end of file
diff --git a/project-terraform-aws/_aws-root-sg/_output.tf b/project-terraform-aws/_aws-root-sg/_output.tf
new file mode 100644
index 0000000..a177f75
--- /dev/null
+++ b/project-terraform-aws/_aws-root-sg/_output.tf
@@ -0,0 +1,3 @@
+output "sg_id_bastion_public_data_dev" {
+  value = module.module-sg-data-dev.sg_id
+}
\ No newline at end of file
diff --git a/project-terraform-aws/_aws-root-sg/_provider.tf b/project-terraform-aws/_aws-root-sg/_provider.tf
new file mode 100644
index 0000000..bba6136
--- /dev/null
+++ b/project-terraform-aws/_aws-root-sg/_provider.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region = local.region_seoul
+}
\ No newline at end of file
diff --git a/project-terraform-aws/_aws-root-sg/_terraform.tf b/project-terraform-aws/_aws-root-sg/_terraform.tf
new file mode 100644
index 0000000..3a9fb5d
--- /dev/null
+++ b/project-terraform-aws/_aws-root-sg/_terraform.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_version = ">= 1.1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.71.0"
+    }
+  }
+
+  /**
+   * 테스팅 목적으로 Terraform Backend 를 사용하지 않습니다
+   */
+
+  backend "local" {
+    path = "../__tf_state/_aws-root-sg/terraform.tfstate"
+  }
+
+}
+
diff --git a/project-terraform-aws/_aws-root-sg/main_sg_data_dev.tf b/project-terraform-aws/_aws-root-sg/main_sg_data_dev.tf
new file mode 100644
index 0000000..a17ba87
--- /dev/null
+++ b/project-terraform-aws/_aws-root-sg/main_sg_data_dev.tf
@@ -0,0 +1,9 @@
+module "module-sg-data-dev" {
+  source = "./module-sg-data-dev"
+
+  environment = local.environment_development
+  team = local.team_data
+
+  vpc_id = data.terraform_remote_state.root_vpc.outputs.vpc_id_data_dev
+  network_range_ssh_whitelist = local.network_range_ssh_whitelist
+}
\ No newline at end of file
diff --git a/project-terraform-aws/_aws-root-sg/module-sg-data-dev/_output.tf b/project-terraform-aws/_aws-root-sg/module-sg-data-dev/_output.tf
new file mode 100644
index 0000000..59e3510
--- /dev/null
+++ b/project-terraform-aws/_aws-root-sg/module-sg-data-dev/_output.tf
@@ -0,0 +1,3 @@
+output "sg_id" {
+  value = aws_security_group.bastion_public.id
+}
\ No newline at end of file
diff --git a/project-terraform-aws/_aws-root-sg/module-sg-data-dev/_variable.tf b/project-terraform-aws/_aws-root-sg/module-sg-data-dev/_variable.tf
new file mode 100644
index 0000000..1744050
--- /dev/null
+++ b/project-terraform-aws/_aws-root-sg/module-sg-data-dev/_variable.tf
@@ -0,0 +1,5 @@
+variable "environment" {}
+variable "team" {}
+
+variable "vpc_id" {}
+variable "network_range_ssh_whitelist" {}
diff --git a/project-terraform-aws/_aws-root-sg/module-sg-data-dev/dev.bastion-public.sg.tf b/project-terraform-aws/_aws-root-sg/module-sg-data-dev/dev.bastion-public.sg.tf
new file mode 100644
index 0000000..fabd0b9
--- /dev/null
+++ b/project-terraform-aws/_aws-root-sg/module-sg-data-dev/dev.bastion-public.sg.tf
@@ -0,0 +1,45 @@
+locals {
+  purpose_bastion_public = "bastion-public"
+}
+
+resource "aws_security_group" "bastion_public" {
+  name = "${local.purpose_bastion_public}-${lower(var.environment)}"
+
+  tags = {
+    Terraform   = "true"
+    Environment = var.environment
+    Team        = var.team
+
+    Name = "${local.purpose_bastion_public}-${lower(var.environment)}"
+  }
+
+  vpc_id = var.vpc_id
+}
+
+resource "aws_security_group_rule" "bastion_allow_to_all" {
+  type      = "egress"
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+
+  cidr_blocks      = ["0.0.0.0/0"]
+  ipv6_cidr_blocks = ["::/0"]
+
+  security_group_id = aws_security_group.bastion_public.id
+}
+
+resource "aws_security_group_rule" "bastion_allow_ssh_from_whitelist" {
+  type      = "ingress"
+  from_port = 22
+  to_port   = 22
+  protocol  = "tcp"
+
+  // 일반적으로는 회사 네트워크나 VPN 대역등을 넣습니다.
+  cidr_blocks = [
+    var.network_range_ssh_whitelist,
+  ]
+
+  security_group_id = aws_security_group.bastion_public.id
+
+  description = "SSH Whitelisted"
+}
\ No newline at end of file