Add or remove security groups Configure security group rules

Change the security groups for your Amazon EC2 instance

You can specify security groups for your Amazon EC2 instances when you launch them. After you launch an instance, you can add or remove security groups. You can also add, remove, or edit security group rules for associated security groups at any time.

Security groups are associated with network interfaces. Adding or removing security groups changes the security groups associated with the primary network interface. You can also change the security groups associated with any secondary network interfaces. For more information, see Modify network interface attributes.

Add or remove security groups

After you launch an instance, you can add or remove security groups from the list of associated security groups. When you associate multiple security groups with an instance, the rules from each security group are effectively aggregated to create one set of rules. Amazon EC2 uses this set of rules to determine whether to allow traffic.

Requirements

The instance must be in the running or stopped state.
A security group is specific to a VPC. You can associate a security group with one or more instances.

To change the security groups for an instance using the console

Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.
In the navigation pane, choose Instances.
Select your instance, and then choose Actions, Security, Change security groups.
For Associated security groups, select a security group from the list and choose Add security group.

To remove an already associated security group, choose Remove for that security group.
Choose Save.

To change the security groups for an instance using the command line

modify-instance-attribute (Amazon CLI)
Edit-EC2InstanceAttribute (Amazon Tools for Windows PowerShell)

Configure security group rules

After you create a security group, you can add, update, and delete its security group rules. When you add, update, or delete a rule, the change is automatically applied to the resources that are associated with the security group.

For examples of rules that you can add to a security group, see Security group rules for different use cases.

Sources and destinations

You can specify the following as sources for inbound rules or destinations for outbound rules.

Custom – A IPv4 CIDR block, and IPv6 CIDR block, another security group, or a prefix list.
Anywhere-IPv4 – The 0.0.0.0/0 IPv4 CIDR block.
Anywhere-IPv6 – The ::/0 IPv6 CIDR block.
My IP – The public IPv4 address of your local computer.

Warning

If you add inbound rules for ports 22 (SSH) or 3389 (RDP), we strongly recommend that you authorize only the specific IP address or range of addresses that need access to your instances. If you choose Anywhere-IPv4, you allow traffic from all IPv4 addresses to access your instances using the specified protocol. If you choose Anywhere-IPv6, you allow traffic from all IPv6 addresses to access your instances using the specified protocol.

To configure security group rules using the console

Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.
In the navigation pane, choose Security Groups.
Select the security group.
To edit the inbound rules, choose Edit inbound rules from Actions or the Inbound rules tab.
1. To add a rule, choose Add rule and enter the type, protocol, port, and source for the rule.
  
  If the type is TCP or UDP, you must enter the port range to allow. For custom ICMP, you must choose the ICMP type name from Protocol, and, if applicable, the code name from Port range. For any other type, the protocol and port range are configured for you.
2. To update a rule, change its protocol, description, and source as needed. However, you can't change the source type. For example, if the source is an IPv4 CIDR block, you can't specify an IPv6 CIDR block, a prefix list, or a security group.
3. To delete a rule, choose its Delete button.
To edit the outbound rules, choose Edit outbound rules from Actions or the Outbound rules tab.
1. To add a rule, choose Add rule and enter the type, protocol, port, and destination for the rule. You can also enter an optional description.
  
  If the type is TCP or UDP, you must enter the port range to allow. For custom ICMP, you must choose the ICMP type name from Protocol, and, if applicable, the code name from Port range. For any other type, the protocol and port range are configured for you.
2. To update a rule, change its protocol, description, and source as needed. However, you can't change the source type. For example, if the source is an IPv4 CIDR block, you can't specify an IPv6 CIDR block, a prefix list, or a security group.
3. To delete a rule, choose its Delete button.
Choose Save rules.

To configure security group rules using the Amazon CLI

Add – Use the authorize-security-group-ingress and authorize-security-group-egress commands.
Remove – Use the revoke-security-group-ingress and revoke-security-group-egress commands.
Modify – Use the modify-security-group-rules, update-security-group-rule-descriptions-ingress, and update-security-group-rule-descriptions-egresscommands.

To configure security group rules using the Tools for Windows PowerShell

Add – Use Grant-EC2SecurityGroupIngress and Grant-EC2SecurityGroupEgress.
Remove – Use Revoke-EC2SecurityGroupIngress and Revoke-EC2SecurityGroupEgress.
Modify – Use Edit-EC2SecurityGroupRule, Update-EC2SecurityGroupRuleIngressDescription, and Update-EC2SecurityGroupRuleEgressDescription.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Create a security group

Delete a security group