Amazon Virtual Private Cloud
User Guide (API Version 2013-02-01)
AWS Documentation » Amazon Virtual Private Cloud » User Guide » Security in Your VPC » Security Groups for Your VPC
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Security Groups for Your VPC

A security group acts as a virtual firewall to control the traffic allowed in and out of its associated instances. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. This section describes the basics things you need to know about security groups for your VPC and their rules.

You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information about the differences between security groups and network ACLs, see Comparison of Security Groups and Network ACLs.

Topics

Security Group Basics

The following are the basic characteristics of security groups for your VPC:

  • You can create up to 100 security groups per VPC. You can add up to 50 rules to each security group. If you need to apply more than 50 rules to an instance, you can specify up to 5 security groups for each instance.

  • You can specify allow rules, but not deny rules.

  • You can specify separate rules for inbound and outbound traffic.

  • By default, no inbound traffic is allowed until you add inbound rules to the security group.

  • By default, all outbound traffic is allowed until you add outbound rules to the group (and then, you specify the outbound traffic that's allowed).

  • Responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa (security groups are therefore stateful).

  • Instances associated with a security group can't talk to each other unless you add rules allowing it (exception: the default security group has these rules by default).

  • After you launch an instance, you can change which security groups the instance is associated with.

Default Security Group for Your VPC

Your VPC automatically comes with a default security group. Each EC2 instance that you launch in your VPC is automatically associated with the default security group if you don't specify a different security group when you launch the instance.

The following are the default settings for a default security group:

  • Allow no inbound traffic to the instance (other than from instances with the same security group)

  • Allow all outbound traffic from the instance

  • Allow all inbound and outbound traffic between instances with the same security group

You can change the rules for the default security group.

Security Group Rules

You can add or remove rules for a security group (also referred to as authorizing or revoking inbound or outbound access). A rule applies either to inbound traffic (ingress) or outbound traffic (egress). You can grant access to a specific CIDR range, or to another security group in your VPC.

The following are the basic parts of a security group rule:

  • (Inbound rules only) The source of the traffic (CIDR range or security group) and the destination port or port range

  • (Outbound rules only) The destination for the traffic (CIDR range or security group) and the destination port or port range

  • Any protocol that has a standard protocol number (for a list, see Protocol Numbers)

    If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes

When you add or remove rules, they are automatically applied to all instances associated with the security group.

Note

Some systems for setting up firewalls let you filter on source ports. Security groups let you filter only on destination ports.

The following is an example of the rules for a security group.

Inbound
Source Protocol Port Range Comments

0.0.0.0/0

TCP

80

Allow inbound HTTP access from anywhere

0.0.0.0/0

TCP

443

Allow inbound HTTPS access from anywhere

Outbound

Destination Protocol Port Range Comments

DBServerSG

TCP

1433

Allow outbound MS SQL access to instances in the group named DBServerSG

0.0.0.0/0

TCP

80

Allow outbound HTTP access to servers on the Internet (for example, for software updates)

0.0.0.0/0

TCP

443

Allow outbound HTTPS access to servers on the Internet (for example, for software updates)

Differences Between Security Groups for EC2-Classic and EC2-VPC

If you're already an Amazon EC2 user, you're probably familiar with security groups. However, you can't use the security groups that you've created for use with EC2-Classic with instances in your VPC. You must create security groups specifically for use with instances in your VPC. The rules you create for use with a security group for a VPC can't reference a security group for EC2-Classic, and vice versa.

The following table summarizes the differences between security groups for use with EC2-Classic and those for use with EC2-VPC.

EC2-ClassicEC2-VPC

You can create up to 500 security groups per region.

You can create up to 100 security groups per VPC.

You can add up to 100 rules to a security group.

You can add up to 50 rules to a security group.

You can add rules for inbound traffic only.

You can add rules for inbound and outbound traffic.

You can assign an unlimited number of security groups to an instance.

You can assign up to 5 security groups to an instance.

You can reference security groups from other AWS accounts.

You can reference security groups for your VPC only.

After you launch an instance, you can't change the security groups assigned to it.

You can change the security groups assigned to an instance after it's launched.

When you add a rule to a security group, you don't have to specify a protocol, and only TCP, UDP, or ICMP are available.

When you add a rule to a security group, you must specify a protocol, and it can be any protocol with a standard protocol number, or all protocols (see Protocol Numbers).

When you add a rule to a security group, you must specify port numbers (for TCP or UDP).

When you add a rule to a security group, you can specify port numbers only if the rule is for TCP or UDP, and you can specify all port numbers.

Working with Security Groups

This section shows you how to work with security groups using the AWS Management Console.

Topics

Modifying the Default Security Group

Your VPC includes a default security group whose initial rules are to deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances in the group. You can't delete this group; however, you can change the group's rules. The procedure is the same as modifying any other security group. For more information, see Adding and Removing Rules.

Creating a Security Group

Although you can use the default security group for your instances, you might want to create your own groups to reflect the different roles that instances play in your system. Several of the scenarios presented in this guide include instructions for creating your own security groups. For more information, see Scenarios for Using Amazon VPC.

To create a security group

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Click Security Groups in the navigation pane.

  3. Click the Create Security Group button.

  4. Enter a name of the security group, and provide a description. Select the ID of your VPC from the VPC menu, and then click Yes, Create.

By default, new security groups start with only an outbound rule that allows all traffic to leave the instances. You must add rules to enable any inbound traffic or to restrict the outbound traffic.

Adding and Removing Rules

When you add or remove a rule, any instances already assigned to the security group are subject to the change. You can't modify rules; you can only add and delete rules.

Several of the scenarios presented in this guide include instructions for adding rules to security groups. For more information, see Scenarios for Using Amazon VPC.

To add a rule

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Click Security Groups in the navigation pane.

  3. Select the security group to update. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.

  4. Using the Inbound tab, select an option for a rule for inbound traffic from Create a new rule, fill in the required information, and then click Add Rule. For example, select HTTP or HTTPS and leave the Source as 0.0.0.0/0. Notice that the Apply Rule Changes button is enabled, and the text "Your changes have not been applied yet" appears above the button. After adding all the rules for inbound traffic that you need, click Apply Rule Changes to add the rules.

    Security group: apply the addition

  5. Repeat the process described in the previous step to add rules for outbound traffic using the Outbound tab.

To delete a rule

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Click Security Groups in the navigation pane.

  3. Select the security group to update. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.

  4. For the rule that you want to delete, click Delete. Notice that the Apply Rule Changes button is enabled, and the text "Your changes have not been applied yet" appears above the button.

  5. Click Apply Rule Changes to delete the rule.

    Security group: apply the deletion

Changing an Instance's Security Groups

You can change the security groups that an instance in a VPC is assigned to after the instance is launched. When you make this change, the instance can be either running or stopped.

To change an instance's security groups

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Instances in the navigation pane.

  3. Right-click the instance, and then select Change Security Groups.

  4. In the Change Security Groups dialog box, select one or more security groups from Security Groups, and then click Yes, Change.

    Case 3: Change NAT instance security group membership

Deleting a Security Group

You can delete a security group only if there are no instances assigned to it (either running or stopped). You can assign the instances to another security group before you delete the security group (see Changing an Instance's Security Groups).

To delete a security group

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Click Security Groups in the navigation pane.

  3. Select the security group, and then click Delete.

  4. In the Delete Security Group dialog box, click Yes, Delete.

Deleting the 2009-07-15-default Security Group

Any VPC created using an API version older than 2011-01-01 has the 2009-07-15-default security group. This security group exists in addition to the regular default security group that comes with every VPC. You can't attach an Internet gateway to a VPC that has the 2009-07-15-default security group. Therefore, you must delete this security group before you can attach an Internet gateway to the VPC.

Note

If you assigned this security group to any instances, you must assign these instances a different security group before you can delete the security group.

To delete the 2009-07-15-default security group

  1. Ensure that this security group is not assigned to any instances.

    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

    2. Click Network Interfaces in the navigation pane.

    3. Select the network interface for the instance from the list, and then select Change Security Groups from the Actions list.

    4. In the Change Security Groups dialog box, select a new security group from the Security Groups list, and then click Save.

      Tip

      When changing an instance's security group, you can select multiple groups from the list. The security groups that you select replace the current security groups for the instance.

    5. Repeat the preceding steps for each instance.

  2. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  3. Click Security Groups in the navigation pane.

  4. Select the 2009-07-15-default security group, and then click the Delete button.

  5. In the Delete Security Group dialog box, click Yes, Delete.

API and Command Overview

The following table summarizes the available security group commands and corresponding API actions.

DescriptionCommandAPI Action

Creates a security group.

ec2-create-group

CreateSecurityGroup

Adds a rule to a security group.

ec2-authorize

AuthorizeSecurityGroupIngress

AuthorizeSecurityGroupEgress

Describes one or more of your security groups.

ec2-describe-group

DescribeSecurityGroups

Modifies the security groups an instance is associated with.

ec2-modify-instance-attribute

ModifyInstanceAttribute

Removes rules from a security group.

ec2-revoke

RevokeSecurityGroupIngress

RevokeSecurityGroupEgress

Deletes a security group.

ec2-delete-group

DeleteSecurityGroup

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...