Menu
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Amazon EC2 Security Groups for Linux Instances

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. When we decide whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups that are associated with the instance.

If you need to allow traffic to a Windows instance, see Amazon EC2 Security Groups for Windows Instances in the Amazon EC2 User Guide for Windows Instances.

If you have requirements that aren't met by security groups, you can maintain your own firewall on any of your instances in addition to using security groups.

Your account may support EC2-Classic in some regions, depending on when you created it. For more information, see Supported Platforms. Security groups for EC2-Classic are separate to security groups for EC2-VPC.

Security Groups for EC2-Classic

If you're using EC2-Classic, you must use security groups created specifically for EC2-Classic. When you launch an instance in EC2-Classic, you must specify a security group in the same region as the instance. You can't specify a security group that you created for a VPC when you launch an instance in EC2-Classic.

After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group.

In EC2-Classic, you can have up to 500 security groups in each region for each account. You can associate an instance with up to 500 security groups and add up to 100 rules to a security group.

Security Groups for EC2-VPC

If you're using EC2-VPC, you must use security groups created specifically for your VPC. When you launch an instance in a VPC, you must specify a security group for that VPC. You can't specify a security group that you created for EC2-Classic when you launch an instance in a VPC. Security groups for EC2-VPC have additional capabilities that aren't supported by security groups for EC2-Classic. For more information, see Differences Between Security Groups for EC2-Classic and EC2-VPC in the Amazon VPC User Guide.

After you launch an instance in a VPC, you can change its security groups. Security groups are associated with network interfaces. Changing an instance's security groups changes the security groups associated with the primary network interface (eth0). For more information, see Changing an Instance's Security Groups in the Amazon VPC User Guide. You can also change the security groups associated with any other network interface. For more information, see Changing the Security Group.

Security groups for EC2-VPC have separate limits. For more information, see Amazon VPC Limits in the Amazon VPC User Guide. The security groups for EC2-Classic do not count against the security group limit for EC2-VPC.

Your VPC can be enabled for IPv6. For more information, see IP addressing in Your VPC in the Amazon VPC User Guide. You can add rules to your VPC security groups to enable inbound and outbound IPv6 traffic.

Security Group Rules

The rules of a security group control the inbound traffic that's allowed to reach the instances that are associated with the security group and the outbound traffic that's allowed to leave them.

The following are the characteristics of security group rules:

  • By default, security groups allow all outbound traffic.

  • You can't change the outbound rules for an EC2-Classic security group.

  • Security group rules are always permissive; you can't create rules that deny access.

  • Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. For more information, see Connection Tracking.

  • You can add and remove rules at any time. Your changes are automatically applied to the instances associated with the security group after a short period.

    Note

    The effect of some rule changes may depend on how the traffic is tracked. For more information, see Connection Tracking.

  • When you associate multiple security groups with an instance, the rules from each security group are effectively aggregated to create one set of rules. We use this set of rules to determine whether to allow access.

    Note

    You can assign multiple security groups to an instance, therefore an instance can have hundreds of rules that apply. This might cause problems when you access the instance. We recommend that you condense your rules as much as possible.

For each rule, you specify the following:

  • Protocol: The protocol to allow. The most common protocols are 6 (TCP) 17 (UDP), and 1 (ICMP).

  • Port range : For TCP, UDP, or a custom protocol, the range of ports to allow.

  • ICMP type and code: For ICMP, the ICMP type and code.

  • Source or destination: The source (inbound rules) or destination (outbound rules) for the traffic. Specify one of these options:

    • An individual IPv4 address. You must use the /32 prefix after the IPv4 address; for example, 203.0.113.1/32.

    • (VPC only) An individual IPv6 address. You must use the /128 prefix length; for example 2001:db8:1234:1a00::123/128.

    • A range of IPv4 addresses, in CIDR block notation, for example, 203.0.113.0/24.

    • (VPC only) A range of IPv6 addresses, in CIDR block notation, for example, 2001:db8:1234:1a00::/64.

    • Another security group. This allows instances associated with the specified security group to access instances associated with this security group. This does not add rules from the source security group to this security group. You can specify one of the following security groups:

      • The current security group.

      • EC2-Classic: A different security group for EC2-Classic in the same region.

      • EC2-Classic: A security group for another AWS account in the same region (add the AWS account ID as a prefix; for example, 111122223333/sg-edcd9784).

      • EC2-VPC: A different security group for the same VPC or a peer VPC in a VPC peering connection.

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses). For more information about IP addresses, see Amazon EC2 Instance IP Addressing. If your security group rule references a security group in a peer VPC, and the referenced security group or VPC peering connection is deleted, the rule is marked as stale. For more information, see Working with Stale Security Group Rules in the Amazon VPC Peering Guide.

If there is more than one rule for a specific port, we apply the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1 and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22.

Connection Tracking

Your security groups use connection tracking to track information about traffic to and from the instance. Rules are applied based on the connection state of the traffic to determine if the traffic is allowed or denied. This allows security groups to be stateful — responses to inbound traffic are allowed to flow out of the instance regardless of outbound security group rules, and vice versa. For example, if you initiate an ICMP ping command to your instance from your home computer, and your inbound security group rules allow ICMP traffic, information about the connection (including the port information) is tracked. Response traffic from the instance for the ping command is not tracked as a new request, but rather as an established connection and is allowed to flow out of the instance, even if your outbound security group rules restrict outbound ICMP traffic.

Not all flows of traffic are tracked. If a security group rule permits TCP or UDP flows for all traffic and there is a corresponding rule in the other direction that permits the response traffic, then that flow of traffic is not tracked. The response traffic is therefore allowed to flow based on the inbound or outbound rule that permits the response traffic, and not on tracking information.

An existing flow of traffic that is tracked may not be interrupted when you remove the security group rule that enables that flow. Instead, the flow is interrupted when it's stopped by you or the other host for at least a few minutes (or up to 5 days for established TCP connections). For UDP, this may require terminating actions on the remote side of the flow. An untracked flow of traffic is immediately interrupted if the rule that enables the flow is removed or modified. For example, if you remove a rule that allows all inbound SSH traffic to the instance, then your existing SSH connections to the instance are immediately dropped.

For protocols other than TCP, UDP, or ICMP, only the IP address and protocol number is tracked. If your instance sends traffic to another host (host B), and host B initiates the same type of traffic to your instance in a separate request within 600 seconds of the original request or response, your instance accepts it regardless of inbound security group rules, because it’s regarded as response traffic.

For VPC security groups, to ensure that traffic is immediately interrupted when you remove a security group rule, or to ensure that all inbound traffic is subject to firewall rules, you can use a network ACL for your subnet — network ACLs are stateless and therefore do not automatically allow response traffic. For more information, see Network ACLs in the Amazon VPC User Guide.

Default Security Groups

Your AWS account automatically has a default security group per VPC and per region for EC2-Classic. If you don't specify a security group when you launch an instance, the instance is automatically associated with the default security group.

A default security group is named default, and it has an ID assigned by AWS. The following are the default rules for each default security group:

  • Allows all inbound traffic from other instances associated with the default security group (the security group specifies itself as a source security group in its inbound rules)

  • Allows all outbound traffic from the instance.

You can add or remove the inbound rules for any default security group. You can add or remove outbound rules for any VPC default security group.

You can't delete a default security group. If you try to delete the EC2-Classic default security group, you'll get the following error: Client.InvalidGroup.Reserved: The security group 'default' is reserved. If you try to delete a VPC default security group, you'll get the following error: Client.CannotDelete: the specified group: "sg-51530134" name: "default" cannot be deleted by a user.

Custom Security Groups

If you don't want your instances to use the default security group, you can create your own security groups and specify them when you launch your instances. You can create multiple security groups to reflect the different roles that your instances play; for example, a web server or a database server.

When you create a security group, you must provide it with a name and a description. Security group names and descriptions can be up to 255 characters in length, and are limited to the following characters:

  • EC2-Classic: ASCII characters

  • EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

The following are the default rules for a security group that you create:

  • Allows no inbound traffic

  • Allows all outbound traffic

After you've created a security group, you can change its inbound rules to reflect the type of inbound traffic that you want to reach the associated instances. In EC2-VPC, you can also change its outbound rules.

For more information about the types of rules you can add to security groups, see Security Group Rules Reference.

Working with Security Groups

You can create, view, update, and delete security groups and security group rules using the Amazon EC2 console.

Creating a Security Group

You can create a custom security group using the Amazon EC2 console. For EC2-VPC, you must specify the VPC for which you're creating the security group.

To create a new security group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Security Groups.

  3. Choose Create Security Group.

  4. Specify a name and description for the security group.

  5. (EC2-Classic only) To create a security group for use in EC2-Classic, choose No VPC.

    (EC2-VPC) For VPC, choose a VPC ID to create a security group for that VPC.

  6. You can start adding rules, or you can choose Create to create the security group now (you can always add rules later). For more information about adding rules, see Adding Rules to a Security Group.

The Amazon EC2 console enables you to copy the rules from an existing security group to a new security group.

To copy a security group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Security Groups.

  3. Select the security group you want to copy, choose Actions, Copy to new.

  4. The Create Security Group dialog opens, and is populated with the rules from the existing security group. Specify a name and description for your new security group. In the VPC list, choose No VPC to create a security group for EC2-Classic, or choose a VPC ID to create a security group for that VPC. When you are done, choose Create.

You can assign a security group to an instance when you launch the instance. When you add or remove rules, those changes are automatically applied to all instances to which you've assigned the security group.

After you launch an instance in EC2-Classic, you can't change its security groups. After you launch an instance in a VPC, you can change its security groups. For more information, see Changing an Instance's Security Groups in the Amazon VPC User Guide.

Describing Your Security Groups

To describe your security groups for EC2-Classic

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Security Groups.

  3. Select Network Platforms from the filter list, then choose EC2-Classic.

  4. Select a security group. The Description tab displays general information. The Inbound tab displays the inbound rules.

To describe your security groups for EC2-VPC

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Security Groups.

  3. Select Network Platforms from the filter list, then choose EC2-VPC.

  4. Select a security group. We display general information in the Description tab, inbound rules on the Inbound tab, and outbound rules on the Outbound tab.

Adding Rules to a Security Group

When you add a rule to a security group, the new rule is automatically applied to any instances associated with the security group.

For more information about choosing security group rules for specific types of access, see Security Group Rules Reference.

To add rules to a security group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Security Groups and select the security group.

  3. On the Inbound tab, choose Edit.

  4. In the dialog, choose Add Rule and do the following:

    • For Type, select the protocol.

    • If you select a custom TCP or UDP protocol, specify the port range in Port Range.

    • If you select a custom ICMP protocol, choose the ICMP type name from Protocol, and, if applicable, the code name from Port Range.

    • For Source, choose one of the following:

      • Custom: in the provided field, you must specify an IP address in CIDR notation, a CIDR block, or another security group.

      • Anywhere: automatically adds the 0.0.0.0/0 IPv4 CIDR block. This option enables all traffic of the specified type to reach your instance. This is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, authorize only a specific IP address or range of addresses to access your instance.

        Note

        If your security group is in a VPC that's enabled for IPv6, the Anywhere option creates two rules—one for IPv4 traffic (0.0.0.0/0) and one for IPv6 traffic (::/0).

      • My IP: automatically adds the public IPv4 address of your local computer.

    For more information about the types of rules that you can add, see Security Group Rules Reference.

  5. Choose Save.

  6. For a VPC security group, you can also specify outbound rules. On the Outbound tab, choose Edit, Add Rule, and do the following:

    • For Type, select the protocol.

    • If you select a custom TCP or UDP protocol, specify the port range in Port Range.

    • If you select a custom ICMP protocol, choose the ICMP type name from Protocol, and, if applicable, the code name from Port Range.

    • For Destination, choose one of the following:

      • Custom: in the provided field, you must specify an IP address in CIDR notation, a CIDR block, or another security group.

      • Anywhere: automatically adds the 0.0.0.0/0 IPv4 CIDR block. This option enables outbound traffic to all IP addresses.

        Note

        If your security group is in a VPC that's enabled for IPv6, the Anywhere option creates two rules—one for IPv4 traffic (0.0.0.0/0) and one for IPv6 traffic (::/0).

      • My IP: automatically adds the IP address of your local computer.

  7. Choose Save.

Deleting Rules from a Security Group

When you delete a rule from a security group, the change is automatically applied to any instances associated with the security group.

To delete a security group rule

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Security Groups.

  3. Select a security group.

  4. On the Inbound tab (for inbound rules) or Outbound tab (for outbound rules), choose Edit. Choose Delete (a cross icon) next to each rule to delete.

  5. Choose Save.

Deleting a Security Group

You can't delete a security group that is associated with an instance. You can't delete the default security group. You can't delete a security group that is referenced by a rule in another security group in the same VPC. If your security group is referenced by one of its own rules, you must delete the rule before you can delete the security group.

To delete a security group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Security Groups.

  3. Select a security group and choose Actions, Delete Security Group.

  4. Choose Yes, Delete.

API and Command Overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available APIs, see Accessing Amazon EC2.

When you specify a security group for a nondefault VPC when using a command line tool, you must use the security group ID and not the security group name to identify the security group.

Create a security group

Add one or more ingress rules to a security group

[EC2-VPC] Add one or more egress rules to a security group

Describe one or more security groups

[EC2-VPC] Modify the security groups for an instance

Remove one or more ingress rules from a security group

[EC2-VPC] Remove one or more egress rules from a security group

Delete a security group