Amazon Elastic Compute Cloud
User Guide (API Version 2014-06-15)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Amazon EC2 Security Groups

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. When we decide whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups that are associated with the instance.

This topic provides information about security groups and security group rules.

If you have requirements that aren't met by security groups, you can maintain your own firewall on any of your instances in addition to using security groups.

Security Groups for EC2-Classic

If you're using EC2-Classic, you must use security groups created specifically for EC2-Classic. When you launch an instance in EC2-Classic, you must specify a security group in the same region as the instance. You can't specify a security group that you created for a VPC when you launch an instance in EC2-Classic.

After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group.

Note

In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security group.

Security Groups for EC2-VPC

If you're using EC2-VPC, you must use security groups created specifically for your VPC. When you launch an instance in a VPC, you must specify a security group for that VPC. You can't specify a security group that you created for EC2-Classic when you launch an instance in a VPC.

After you launch an instance in a VPC, you can change its security groups. You can also change the rules of a security group, and those changes are automatically applied to all instances that are associated with the security group.

Note

In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 50 rules to a security group.

When you specify a security group for a nondefault VPC to the CLI or the API actions, you must use the security group ID and not the security group name to identify the security group.

Security groups for EC2-VPC have additional capabilities that aren't supported by security groups for EC2-Classic. For more information about security groups for EC2-VPC, see Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.

Security Group Rules

The rules of a security group control the inbound traffic that's allowed to reach the instances that are associated with the security group and the outbound traffic that's allowed to leave them. By default, security groups allow all outbound traffic.

You can add and remove rules at any time. Your changes are automatically applied to the instances associated with the security group after a short period. You can either edit an existing rule in a security group, or delete it and add a new rule. You can copy the rules from an existing security group to a new security group. You can't change the outbound rules for EC2-Classic. Security group rules are always permissive; you can't create rules that deny access.

For each rule, you specify the following:

  • The protocol to allow (such as TCP, UDP, or ICMP).

  • TCP and UDP, or a custom protocol: The range of ports to allow

  • ICMP: The ICMP type and code

  • One or the following options for the source (inbound rules) or destination (outbound rules):

    • An individual IP address, in CIDR notation. Be sure to use the /32 prefix after the IP address; if you use the /0 prefix after the IP address, this opens the port to everyone. For example, specify the IP address 203.0.113.1 as 203.0.113.1/32.

    • An IP address range, in CIDR notation (for example, 203.0.113.0/24).

    • The name (EC2-Classic) or ID (EC2-Classic or EC2-VPC) of a security group. This allows instances associated with the specified security group to access instances associated with this security group. (Note that this does not add rules from the source security group to this security group.) You can specify one of the following security groups:

      • The current security group.

      • EC2-Classic: A different security group for EC2-Classic in the same region

      • EC2-VPC: A different security group for the same VPC

      • EC2-Classic: A security group for another AWS account in the same region (add the AWS account ID as a prefix; for example, 111122223333/sg-edcd9784)

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses).

If there is more than one rule for a specific port, we apply the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1 and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22.

When you associate multiple security groups with an instance, the rules from each security group are effectively aggregated to create one set of rules. We use this set of rules to determine whether to allow access.

Caution

Because you can assign multiple security groups to an instance, an instance can have hundreds of rules that apply. This might cause problems when you access the instance. Therefore, we recommend that you condense your rules as much as possible.

For more information about IP addresses, see Amazon EC2 Instance IP Addressing.

Default Security Groups

Your AWS account automatically has a default security group per region for EC2-Classic. When you create a VPC, we automatically create a default security group for the VPC. If you don't specify a different security group when you launch an instance, the instance is automatically associated with the appropriate default security group.

A default security group is named default, and it has an ID assigned by AWS. The following are the initial settings for each default security group:

  • Allow inbound traffic only from other instances associated with the default security group

  • Allow all outbound traffic from the instance

The default security group specifies itself as a source security group in its inbound rules. This is what allows instances associated with the default security group to communicate with other instances associated with the default security group.

You can change the rules for a default security group. For example, you can add an inbound rule to allow SSH or Remote Desktop connections so that specific hosts can manage the instance.

You can't delete a default security group.

Custom Security Groups

If you don't want all your instances to use the default security group, you can create your own security groups and specify them when you launch your instances. You can create multiple security groups to reflect the different roles that your instances play; for example, a web server or a database server. For instructions that help you create security groups for web servers and database servers, see Recommended Security Groups in the Amazon Virtual Private Cloud User Guide.

Note

In EC2-Classic, you can create up to 500 security groups in each region for each account. In EC2-VPC, you can create up to 100 security groups per VPC. The security groups for EC2-Classic do not count against the security group limit for EC2-VPC.

When you create a security group, you must provide it with a name and a description. Security group names and descriptions can be up to 255 characters in length, and are limited to the following characters:

  • EC2-Classic: ASCII characters

  • EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

AWS assigns each security group a unique ID in the form sg-xxxxxxxx. The following are the initial settings for a security group that you create:

  • Allow no inbound traffic

  • Allow all outbound traffic

After you've created a security group, you can change its inbound rules to reflect the type of inbound traffic that you want to reach the associated instances. In EC2-VPC, you can also change its outbound rules.

To allow instances that have the same security group to communicate, you must explicitly add rules for this. The following table describes the rules that you must add to your security group to enable instances in EC2-Classic to communicate.

Inbound
Source Protocol Port Range Comments

The ID of the security group

ICMP

All

Allow inbound ICMP access from other instances associated with this security group

The ID of the security group

TCP

0 - 65535

Allow inbound TCP access from other instances associated with this security group

The ID of the security group

UDP

0 - 65535

Allow inbound UDP access from other instances associated with this security group

The following table describes the rules that you must add to your security group to enable instances in a VPC to communicate.

Inbound
Source Protocol Port Range Comments

The ID of the security group

All

All

Allow inbound traffic from other instances associated with this security group

Creating a Security Group

To create a new security group

  1. Open the Amazon EC2 console.

  2. In the navigation pane, click Security Groups.

  3. Click Create Security Group.

  4. Specify a name and description for the security group. For VPC, select No VPC to create a security group for EC2-Classic, or select a VPC ID to create a security group for that VPC.

  5. You can start adding rules, or you can click Create to create the security group now (you can always add rules later). For more information about adding rules, see Adding Rules to a Security Group.

To copy a security group

  1. Open the Amazon EC2 console.

  2. In the navigation pane, click Security Groups.

  3. Select the security group you want to copy, click Actions, and then select Copy to new.

  4. The Create Security Group dialog opens, and is populated with the rules from the existing security group. Specify a name and description for your new security group. In the VPC list, select No VPC to create a security group for EC2-Classic, or select a VPC ID to create a security group for that VPC. When you are done, click Create.

You can assign a security group to an instance when you launch the instance. When you add or remove rules, those changes are automatically applied to all instances to which you've assigned the security group.

After you launch an instance in EC2-Classic, you can't change its security groups. After you launch an instance in a VPC, you can change its security groups. For more information, see Changing an Instance's Security Groups in the Amazon Virtual Private Cloud User Guide.

Describing Your Security Groups

To describe your security groups for EC2-Classic

  1. Open the Amazon EC2 console.

  2. In the navigation pane, click Security Groups.

  3. Select EC2 security groups from the filter list.

  4. Select a security group. We display general information in the Description tab and inbound rules on the Inbound tab.

To describe your security groups for EC2-VPC

  1. Open the Amazon EC2 console.

  2. In the navigation pane, click Security Groups.

  3. Select VPC security groups from the filter list.

  4. Select a security group. We display general information in the Description tab, inbound rules on the Inbound tab, and outbound rules on the Outbound tab.

Adding Rules to a Security Group

When you add a rule to a security group, the new rule is automatically applied to any instances associated with the security group.

To add rules to a security group

  1. Open the Amazon EC2 console.

  2. In the navigation pane, click Security Groups.

  3. Select the security group.

  4. You can allow web servers to receive all inbound HTTP and HTTPS traffic. On the Inbound tab, click Edit. In the dialog, click Add Rule. Select HTTP from the Type list, and leave the source as Anywhere (0.0.0.0/0). Add a similar rule for the HTTPS protocol.

    Add HTTP and HTTPS rules to a security group
  5. To connect to a Linux instance, you need to allow SSH traffic. Click Add Rule, and then select SSH from the Type list.

    In the Source field, specify the public IP address of your computer, in CIDR notation. For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32 to list this single IP address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24. You can select My IP to from the Source list to let us automatically populate the field with your computer's IP address. However, if you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

    Caution

    If you use 0.0.0.0/0, you enable all IP addresses to access your instance using SSH. This is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, you'll authorize only a specific IP address or range of addresses to access your instance.

  6. You can allow communication between all instances associated with this security group, or between instances associated with another security group and instances associated with this security group. Click Add Rule, select All ICMP, then start typing the ID of the security group in Source; this provides you with a list of security groups. Select the security group from the list. Repeat the steps for the TCP and UDP protocols. Click Save when you are done.

    Add rules for communication between associated instances
  7. If you are creating a security group for a VPC, you can also specify outbound rules. For an example, see Adding and Removing Rules in the Amazon Virtual Private Cloud User Guide.

Deleting Rules from a Security Group

When you delete a rule from a security group, the change is automatically applied to any instances associated with the security group.

To delete a security group rule

  1. Open the Amazon EC2 console.

  2. In the navigation pane, click Security Groups.

  3. Select a security group.

  4. Click Edit, and then click the Delete icon next to each rule that you need to delete.

  5. Click Save.

Deleting a Security Group

You can't delete a security group that associated with an instance. You can't delete the default security group.

To delete a security group

  1. Open the Amazon EC2 console.

  2. In the navigation pane, click Security Groups.

  3. Select a security group and click Delete.

  4. Click Yes, Delete.

API and Command Overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available APIs, see Accessing Amazon EC2.

Create a security group

Add one or more ingress rules to a security group

[EC2-VPC] Add one or more egress rules to a security group

Describe one or more security groups

[EC2-VPC] Modify the security groups for an instance

Remove one or more ingress rules from a security group

[EC2-VPC] Remove one or more egress rules from a security group

Delete a security group