Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.
Work with security groups
You can assign a security group to an instance when you launch the instance. When
you add or remove rules, those changes are automatically applied to all instances to
which you've assigned the security group. For more information, see Assign a security group to an instance.
After you launch an instance, you can change its security groups.
For more information, see Change an instance's security group.
You can create, view, update, and delete security groups and security group rules
using the Amazon EC2 console and the command line tools.
Create a security group
Although you can use the default security group for your instances, you might want
to create your own groups to reflect the different roles that instances play in your
system.
By default, new security groups start with only an outbound rule that allows all
traffic to leave the instances. You must add rules to enable any inbound traffic or
to restrict the outbound traffic.
A security group can be used only in the VPC for which it is created.
- New console
-
To create a security group
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Choose Create security group.
-
In the Basic details section, do the following.
-
Enter a descriptive name and brief description for the security group.
They can't be edited after the security group is created. The name and
description can be up to 255 characters long. The valid characters are
a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*.
-
For VPC, choose the VPC.
-
You can add security group rules now, or you can add them later. For more information,
see Add rules to a security group.
-
You can add tags now, or you can add them later. To add a tag, choose Add
new tag and enter the tag key and value.
-
Choose Create security group.
- Old console
-
To create a security group
-
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Choose Create Security Group.
-
Specify a name and description for the security group.
-
For VPC, choose the ID of the VPC.
-
You can start adding rules, or you can choose Create
to create the security group now (you can always add rules later). For more
information about adding rules, see Add rules to a security group.
- Command line
-
To create a security group
Use one of the following commands:
Copy a security group
You can create a new security group by creating a copy of an existing one. When you copy a security group, the
copy is created with the same inbound and outbound rules as the original security group. If the original security
group is in a VPC, the copy is created in the same VPC unless you specify a different one.
The copy receives a new unique security group ID and you must give it a name. You can also
add a description.
You can't copy a security group from one Region to another Region.
You can create a copy of a security group using one of the following methods.
- New console
-
To copy a security group
-
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Select the security group to copy and choose Actions,
Copy to new security group.
-
Specify a name and optional description, and change the VPC and security group
rules if needed.
-
Choose Create.
- Old console
-
To copy a security group
-
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Select the security group you want to copy, choose
Actions, Copy to new.
-
The Create Security Group dialog opens, and is populated with the
rules from the existing security group. Specify a name and description for
your new security group. For VPC, choose the ID of the
VPC. When you are done, choose Create.
View your security groups
You can view information about your security groups using one of the following methods.
- New console
-
To view your security groups
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Your security groups are listed. To view the details for a specific security group,
including its inbound and outbound rules, choose its ID in the
Security group ID column.
- Old console
-
To view your security groups
-
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
(Optional) Select VPC ID from the filter list, then
choose the ID of the VPC.
-
Select a security group. General information is displayed on the
Description tab, inbound rules on the
Inbound tab, outbound rules on the
Outbound tab, and tags on the
Tags tab.
- Command line
-
To view your security groups
Use one of the following commands.
- Amazon EC2 Global View
-
You can use Amazon EC2 Global View to view your security groups across all Regions
for which your Amazon account is enabled. For more information, see
List and filter resources across Regions using Amazon EC2 Global View.
Add rules to a security group
When you add a rule to a security group, the new rule is automatically applied to any
instances that are associated with the security group. There might be a short delay
before the rule is applied. For more information, see Security group rules for different use
cases and Security group rules.
- New console
-
To add an inbound rule to a security group
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Select the security group, and choose Actions,
Edit inbound rules.
-
For each rule, choose Add rule and do the following.
-
For Type, choose the type of protocol to allow.
-
For custom TCP or UDP, you must enter the port range to allow.
-
For custom ICMP, you must choose the ICMP type from Protocol,
and, if applicable, the code from Port range. For example,
to allow ping commands, choose Echo Request
from Protocol.
-
For any other type, the protocol and port range are configured for you.
-
For Source, do one of the following to allow traffic.
-
Choose Custom and then enter an IP address in CIDR notation,
a CIDR block, another security group, or a prefix list.
-
Choose Anywhere to allow all traffic for the specified
protocol to reach your instance. This option automatically adds the 0.0.0.0/0
IPv4 CIDR block as the source. If your security group is in a VPC that's enabled
for IPv6, this option automatically adds a rule for the ::/0 IPv6 CIDR block.
If you choose Anywhere, you enable all IPv4 and IPv6
addresses to access your instance the specified protocol. If you are
adding rules for ports 22 (SSH) or 3389 (RDP), you should authorize only a
specific IP address or range of addresses to access your instance.
-
Choose My IP to allow inbound traffic from
only your local computer's public IPv4 address.
-
For Description, optionally specify a brief
description for the rule.
-
Choose Preview changes, Save rules.
To add an outbound rule to a security group
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Select the security group, and choose Actions,
Edit outbound rules.
-
For each rule, choose Add rule and do the following.
-
For Type, choose the type of protocol to allow.
-
For custom TCP or UDP, you must enter the port range to allow.
-
For custom ICMP, you must choose the ICMP type from Protocol,
and, if applicable, the code from Port range.
-
For any other type, the protocol and port range are configured
automatically.
-
For Destination, do one of the following.
-
Choose Custom and then enter an IP address in CIDR notation,
a CIDR block, another security group, or a prefix list for which to allow outbound traffic.
-
Choose Anywhere to allow outbound traffic to all IP addresses.
This option automatically adds the 0.0.0.0/0 IPv4 CIDR block as the destination.
If your security group is in a VPC that's enabled for IPv6, this option automatically
adds a rule for the ::/0 IPv6 CIDR block.
-
Choose My IP to allow outbound traffic only to your local
computer's public IPv4 address.
-
(Optional) For Description, specify a brief description for the rule.
-
Choose Preview changes, Confirm.
- Old console
-
To add rules to a security group
-
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups and
select the security group.
-
On the Inbound tab, choose Edit.
-
In the dialog, choose Add Rule and do the following:
-
For Type, select the protocol.
-
If you select a custom TCP or UDP protocol, specify the port
range in Port Range.
-
If you select a custom ICMP protocol, choose the ICMP type
name from Protocol, and, if applicable, the
code name from Port Range. For example, to allow
ping commands, choose Echo Request
from Protocol.
-
For Source, choose one of the following:
-
Custom: in the provided
field, you must specify an IP address in CIDR
notation, a CIDR block, or another security
group.
-
Choose Anywhere to allow all traffic for the specified
protocol to reach your instance. This option automatically adds the 0.0.0.0/0
IPv4 CIDR block as the source. If your security group is in a VPC that's enabled
for IPv6, this option automatically adds a rule for the ::/0 IPv6 CIDR block.
If you choose Anywhere, you enable all IPv4 and IPv6
addresses to access your instance using the specified protocol. If you are
adding rules for ports 22 (SSH) or 3389 (RDP), you should authorize only a
specific IP address or range of addresses to access your instance.
-
My IP: automatically adds the
public IPv4 address of your local computer.
-
For Description, you can
optionally specify a description for the rule.
For more information about the types of rules that you can add, see Security group rules for different use
cases.
-
Choose Save.
-
You can also specify outbound rules. On the
Outbound tab, choose Edit,
Add Rule, and do the following:
-
For Type, select the protocol.
-
If you select a custom TCP or UDP protocol, specify the port
range in Port Range.
-
If you select a custom ICMP protocol, choose the ICMP type
name from Protocol, and, if applicable, the
code name from Port Range.
-
For Destination, choose one of the following:
-
Custom: in the provided
field, you must specify an IP address in CIDR
notation, a CIDR block, or another security
group.
-
Anywhere: automatically
adds the 0.0.0.0/0 IPv4 CIDR block.
This option enables outbound traffic to all IP
addresses.
If your security group is in a VPC that's
enabled for IPv6, the
Anywhere option creates two
rules—one for IPv4 traffic
(0.0.0.0/0) and one for IPv6 traffic
(::/0).
-
My IP: automatically adds the
IP address of your local computer.
-
For Description, you can
optionally specify a description for the rule.
-
Choose Save.
- Command line
To add rules to a security group
Use one of the following commands.
To add one or more egress rules to a security group
Use one of the following commands.
Update security group rules
You can update a security group rule using one of the following methods. The updated rule is automatically applied to any
instances that are associated with the security group.
- New console
-
When you modify the protocol, port range, or source or destination of an existing security
group rule using the console, the console deletes the existing rule and adds a new
one for you.
To update a security group rule
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Select the security group.
-
Choose Actions, Edit inbound rules
to update a rule for inbound traffic or Actions,
Edit outbound rules to update a rule for outbound traffic.
-
Update the rule as required.
-
Choose Preview changes, Confirm.
To tag a security group rule
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Select the security group.
-
On the Inbound rules or Outbound rules tab,
select the check box for the rule and then choose
Manage tags.
-
The Manage tags page displays any tags that are assigned to the
rule. To add a tag, choose Add tag and
enter the tag key and value. To delete a tag, choose
Remove next to the tag that you want to
delete.
-
Choose Save changes.
- Old console
-
When you modify the protocol, port range, or source or destination of an existing security
group rule using the console, the console deletes the existing rule and adds a new
one for you.
To update a security group rule
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security
Groups.
-
Select the security group to update, and choose the
Inbound tab to update a rule for inbound traffic or
the Outbound tab to update a rule for
outbound traffic.
-
Choose Edit.
-
Modify the rule entry as required and choose
Save.
- Command line
-
You cannot modify the protocol, port range, or source or destination of an existing rule
using the Amazon EC2 API or a command line tools. Instead, you must delete the existing rule
and add a new rule. You can, however, update the description of an existing rule.
To update a rule
Use one the following command.
To update the description for an existing inbound rule
Use one of the following commands.
To update the description for an existing outbound rule
Use one of the following commands.
To tag a security group rule
Use one of the following commands.
Delete rules from a security group
When you delete a rule from a security group, the change is automatically applied to any
instances associated with the security group.
You can delete rules from a security group using one of the following methods.
- New console
-
To delete a security group rule
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Select the security group to update, choose Actions, and then
choose Edit inbound rules to remove an inbound rule or
Edit outbound rules to remove an outbound rule.
-
Choose the Delete button to the right of the rule to
delete.
-
Choose Preview changes, Confirm.
- Old console
-
To delete a security group rule
-
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Select a security group.
-
On the Inbound tab (for inbound rules) or
Outbound tab (for outbound rules), choose
Edit. Choose Delete (a cross
icon) next to each rule to delete.
-
Choose Save.
- Command line
-
To remove one or more ingress rules from a security group
Use one of the following commands.
To remove one or more egress rules from a security group
Use one of the following commands.
Delete a security group
You can't delete a security group that is associated with an instance. You can't
delete the default security group. You can't delete a security group that is
referenced by a rule in another security group in the same VPC. If your security
group is referenced by one of its own rules, you must delete the rule before you can
delete the security group.
- New console
-
To delete a security group
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security Groups.
-
Select the security group to delete and choose Actions,
Delete security group, Delete.
- Old console
-
To delete a security group
-
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Security
Groups.
-
Select a security group and choose Actions,
Delete Security Group.
-
Choose Yes, Delete.
- Command line
-
To delete a security group
Use one of the following commands.
Assign a security group to an instance
You can assign one or more security groups to an instance when you launch the instance. You
can also specify one or more security groups in a launch template. The security
groups will be assigned to all instances that are launched using the launch
template.
Change an instance's security group
After you launch an instance, you can change its security groups by adding or removing
security groups. You can change the security groups when the instance is in the
running
or stopped
state.
- New console
-
To change the security groups for an instance using the console
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Instances.
-
Select your instance, and then choose Actions, Security,
Change security groups.
-
For Associated security groups, select a security group from the
list and choose Add security group.
To remove an already associated security group, choose Remove for
that security group.
-
Choose Save.
- Old console
-
To change the security groups for an instance using the console
Open the Amazon EC2 console at
https://console.amazonaws.cn/ec2/.
-
In the navigation pane, choose Instances.
-
Select your instance, and then choose Actions,
Networking, Change Security
Groups.
-
To add one or more security groups, select its check box.
To remove an already associated security group, clear its check box.
-
Choose Assign Security Groups.
- Command line
-
To change the security groups for an instance using the
command line
Use one of the following commands.