Amazon Elastic Compute Cloud
User Guide (API Version 2013-02-01)
AWS Documentation » Amazon EC2 » User Guide » Network and Security » Amazon EC2 Security Groups
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Amazon EC2 Security Groups

A security group acts as a firewall that controls the traffic allowed to reach one or more instances. When you launch an instance, you assign it one or more security groups. You add rules to each security group that control traffic for the instance. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances to which the security group is assigned.

Topics

Security Group Concepts

This section provides information about security groups and security group rules.

Topics

Security Groups for EC2-Classic

If you're using EC2-Classic, you must create security groups for each region in which you'll launch instances. When you launch an instance in EC2-Classic, you must specify a security group in the same region as the instance. You can't specify any security groups you created for EC2-VPC when you launch an instance in EC2-Classic.

Security group rules control the inbound traffic allowed to reach the instances associated with the security group. All other inbound traffic is discarded, and all outbound traffic is allowed by default.

Note

On EC2-Classic, you can't change which security groups are assigned to an instance after it's launched. However, on EC2-VPC, you can change which security groups are assigned to an instance after it's launched.

Security Groups for EC2-VPC

If you're using EC2-VPC, you must create security groups specifically for your VPC. You can only specify the security groups for a VPC with instances in that VPC. You can't specify any security groups you created for EC2-Classic when you launch an instance in a VPC.

Security group rules control the inbound traffic allowed to reach the instances associated with the security group and the outbound traffic that can reach the Internet. All other traffic is discarded.

When you specify a security group for a nondefault VPC to the CLI or the API actions, you must use the security group ID and not the security group name to identify the security group.

Security groups for EC2-VPC have additional capabilities that aren't supported by security groups for EC2-Classic. For more information about security groups for EC2-VPC, see Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.

Default Security Group

Your AWS account automatically comes with a default security group for EC2-Classic. When you create a VPC, it automatically comes with a default security group. If you don't specify a different security group when you launch an instance, the instance is automatically associated with the appropriate default security group.

A default security group is named default, and it has an ID assigned by AWS. These are the initial settings for the default security group:

  • Allow no inbound traffic (other than from instances with the same security group)

  • Allow all outbound traffic from the instance

  • Allow all inbound and outbound traffic between instances with the same security group

You can change the rules for a default security group. For example, you can add an inbound rule to allow SSH or Remote Desktop connections from specific hosts for the purposes of instance management.

You can't delete a default security group.

Creating Your Own Security Groups

If you don't want all your instances to use the default security group, you can create your own security groups. You can create security groups that reflect the different roles your instances play in your system. For information about security groups for web servers and database servers, see Creating the WebServerSG and DBServerSG Security Groups in the Amazon Virtual Private Cloud User Guide.

When you create a security group, you must provide it with a name and a description. Security group names and descriptions can be up to 255 characters in length, and are limited to the following characters:

  • EC2-Classic: ASCII characters

  • EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

AWS assigns each security group a unique ID in the form sg-xxxxxxxx. The following are the initial settings for a security group that you create:

  • Allow no inbound traffic

  • Allow all outbound traffic

After you've created a security group, you can change its inbound rules to reflect the type of inbound traffic that you want to reach the associated instances. In EC2-VPC, you can also change its outbound rules. To allow instances that have the same security group to talk to each other, you must explicitly add rules for this.

Note

In EC2-Classic, you can create up to 500 security groups in each region for each account. In EC2-VPC, you can create up to 100 security groups per VPC. The security groups for EC2-Classic do not count against the security group limit for EC2-VPC.

Instance Group Membership

When you launch an instance, you can associate it with one or more security groups. When deciding whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups associated with the instance.

Note

In EC2-Classic, you can assign up to 500 security groups to an instance. In EC2-VPC, you can assign up to 5 security groups to an instance.

If you don't specify any security groups when you launch an instance, the instance is automatically associated with the default security group and uses the rules for that group.

After you launch an instance in EC2-Classic, you can't change its security groups. However, you can change the rules of a security group, and those changes are automatically applied to all instances that are associated with the security group.

Security Group Rules

The rules of a security group control the inbound traffic that's allowed to reach the instances associated with the security group. All outbound traffic is allowed by default. You can't change the outbound behavior for EC2-Classic.

You can't modify an existing rule in a security group. However, you can add and remove rules at any time. Your changes are automatically applied to instances associated with the security group after a short period.

For each rule, you define two settings:

  • The protocol allowed.

  • The source that defines the access to the port. The source can be one of the following:

    • An individual IP address (for example, 203.0.113.1).

    • An IP address range, in CIDR notation (for example, 203.0.113.0/24).

    • A security group. This security group can be one of the following:

      • The current security group.

      • A different security group in your AWS account.

      • A security group in another AWS account.

Each inbound security group rule enables a specific source to reach the instances using a certain protocol (TCP, UDP, or ICMP) and destination port or ports (if the protocol is TCP or UDP). For example, a rule could allow IP address 203.0.113.1 (the source) to reach the instances on TCP port 22 (the protocol and destination port). If you specify ICMP as the protocol for the rule, you must also specify an ICMP type and code.

Note

You can get the public IP address of your local computer using a service. To locate a service that provides your IP address, use the search phrase "what is my IP address". If you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

By specifying a security group as the source, you allow incoming traffic to reach all instances associated with the source security group. The incoming traffic that you allow is based on the private IP addresses of the instances associated with the source security group. The security group can be another security group in your AWS account, a security group in a different AWS account, or the security group itself. If the security group is in a different AWS account, prefix the security group name with the AWS account ID and a forward slash (for example, 111122223333/sg-edcd9784).

Note

You can't create a security group for EC2-VPC that references a security group for EC2-Classic, and you can't create a security group for EC2-Classic that references a security group for EC2-VPC.

If you specify the security group itself as the source, each instance accepts inbound traffic from other instances associated with the security group. For example, the default security group specifies itself as a source security group in its inbound security group rules. This is why instances associated with the default security group allow inbound traffic from other instances associated with the default security group.

Security group rules are always permissive, so you cannot create any rules that deny access to a port. Also, if there is more than one rule for a specific port, the most permissive rule is always applied. For example, if you have a rule that allows access to port 22 from IP address 203.0.113.1, and another rule that allows access to port 22 from everyone, everyone has access to port 22.

When multiple security groups are applied to an instance, the rules from each security group are effectively aggregated to create one larger set of rules. The aggregated rules are then used to determine access to the instances.

In EC2-Classic, you can add up to 100 rules per security group. In EC2-VPC, you can add up to 50 rules per security group. If you need additional rules for an instance, you can assign it multiple security groups.

Caution

Because you can assign multiple security groups to an instance, an instance can have hundreds of rules that apply. This might cause problems when you access the instance. Therefore, we recommend that you condense your rules as much as possible.

Creating a Security Group

To create a security group for EC2-Classic

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, click Security Groups.

  3. Click Create Security Group.

  4. Specify a name and description for the security group. Select No VPC for VPC, and then click Yes, Create.

To create a security group for EC2-VPC

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, click Security Groups.

  3. Click Create Security Group.

  4. Specify a name and description for the security group. Select the ID of your VPC for VPC, and then click Yes, Create.

Describing Security Groups

To view your security groups

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, click Security Groups.

  3. To view more information about a security group, including its rules, select it. The information is displayed in the details pane.

Adding a Security Group Rule

When you add a rule to a security group, the new rule is automatically applied to any instances in the group.

To add a rule to a security group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, click Security Groups.

  3. Select a security group. The details pane displays information about the security group, plus tabs for working with its rules.

  4. Select the Inbound tab and add one or more inbound rules.

    1. Select an option from the Create a new rule list.

    2. [Custom protocol rule only] Specify a port or port range.

    3. In the Source field, specify one of the following:

      • An IP address range in CIDR notation (to allow access from that IP address range). Enter an IP address or range of addresses to limit access to one computer or a network, for example 203.0.113.5/32. However, for a Web server, you might enter 0.0.0.0/0 to allow all IP addresses over HTTP and HTTPS.

      • The name or ID of a security group (to allow access based on that security group). If the security belongs to another AWS account, add the AWS account ID and a forward slash as a prefix (for example, 111122223333/OtherSecurityGroup).

    4. Click Add Rule.

    Security group: add rule

  5. After adding all the rules for inbound traffic that you need, click Apply Rule Changes.

Deleting a Security Group Rule

When you delete a rule from a security group, the change is automatically applied to any instances in the group.

To delete a security group rule

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, click Security Groups.

  3. Select a security group.

  4. On the Inbound tab in the details pane, click the Delete button next to each rule to delete.

    An asterisk appears on the Inbound tab to indicate that there are changes that have not been applied.

  5. Click Apply Rule Changes.

Deleting a Security Group

The security group must not be assigned to any instances. You can't delete the default security group.

To delete a security group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, click Security Groups.

  3. Select a security group and click Delete.

  4. Click Yes, Delete.

API and Command Overview

The following table summarizes the available commands and corresponding API actions for security groups.

DescriptionCommandAPI Action

Creates a security group.

ec2-create-group

CreateSecurityGroup

Adds one or more rules to a security group.

ec2-authorize

AuthorizeSecurityGroupIngress

AuthorizeSecurityGroupEgress (EC2-VPC only)

Describes one or more of your security groups.

ec2-describe-group

DescribeSecurityGroups

[EC2-VPC only] Modifies the security groups an instance is associated with.

ec2-modify-instance-attribute

ModifyInstanceAttribute

Removes one or more rules from a security group.

ec2-revoke

RevokeSecurityGroupIngress

Deletes a security group.

ec2-delete-group

DeleteSecurityGroup

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...