This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.
Creating, configuring, and deleteing Amazon EC2 security groups in the Amazon CLI
You can create a security group for your Amazon Elastic Compute Cloud (Amazon EC2) instances that essentially operates as a firewall, with rules that determine what network traffic can enter and leave.
Use the Amazon Command Line Interface (Amazon CLI) to create a security group, add rules to existing security groups, and delete security groups.
Note
For additional command examples, see the Amazon CLI reference guide.
Topics
Prerequisites
To run the ec2
commands, you need to:
Install and configure the Amazon CLI. For more information, see Installing, updating, and uninstalling the Amazon CLI and Authentication and access credentials for the Amazon CLI.
-
Set your IAM permissions to allow for Amazon EC2 access. For more information about IAM permissions for Amazon EC2, see IAM policies for Amazon EC2 in the Amazon EC2 User Guide.
Create a security group
You can create security groups associated with virtual private clouds (VPCs) .
The following
aws
ec2
create-security-group
example shows how to create a
security group for a specified VPC.
$
aws ec2 create-security-group --group-name
my-sg
--description "My security group
" --vpc-idvpc-1a2b3c4d
{ "GroupId": "sg-903004f8" }
To view the initial information for a security group, run the
aws
ec2
describe-security-groups
command. You can reference an EC2-VPC security group only by its
vpc-id
, not its name.
$
aws ec2 describe-security-groups --group-ids
sg-903004f8
{ "SecurityGroups": [ { "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "UserIdGroupPairs": [] } ], "Description": "My security group" "IpPermissions": [], "GroupName": "my-sg", "VpcId": "vpc-1a2b3c4d", "OwnerId": "123456789012", "GroupId": "sg-903004f8" } ] }
Add rules to your security group
When you run an Amazon EC2 instance, you must enable rules in the security group to allow incoming network traffic for your means of connecting to the image.
For example, if you're launching a Windows instance, you typically add a rule to allow inbound traffic on TCP port 3389 to support Remote Desktop Protocol (RDP). If you're launching a Linux instance, you typically add a rule to allow inbound traffic on TCP port 22 to support SSH connections.
Use the
aws ec2
authorize-security-group-ingress
command to add a rule to your security group. A required parameter of this command is
the public IP address of your computer, or the network (in the form of an address range)
that your computer is attached to, in CIDR
The following example shows how to add a rule for RDP (TCP port 3389) to an EC2-VPC
security group with the ID sg-903004f8
using your IP address.
To start, find your IP address.
$
curl https://checkip.amazonaws.com
x.x.x.x
You can then add the IP address to your security group by running the
aws ec2
authorize-security-group-ingress
command.
$
aws ec2 authorize-security-group-ingress --group-id
sg-903004f8
--protocol tcp --port 3389 --cidrx.x.x.x/x
The following command adds another rule to enable SSH to instances in the same security group.
$
aws ec2 authorize-security-group-ingress --group-id
sg-903004f8
--protocol tcp --port 22 --cidrx.x.x.x/x
To view the changes to the security group, run the
aws
ec2
describe-security-groups
command.
$
aws ec2 describe-security-groups --group-ids
sg-903004f8
{ "SecurityGroups": [ { "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "UserIdGroupPairs": [] } ], "Description": "My security group" "IpPermissions": [ { "ToPort": 22, "IpProtocol": "tcp", "IpRanges": [ { "CidrIp": "
x.x.x.x/x
" } ] "UserIdGroupPairs": [], "FromPort": 22 } ], "GroupName": "my-sg", "OwnerId": "123456789012", "GroupId": "sg-903004f8" } ] }
Delete your security group
To delete a security group, run the
aws ec2
delete-security-group
command.
Note
You can't delete a security group if it's currently attached to an environment.
The following command example deletes an EC2-VPC security group.
$
aws ec2 delete-security-group --group-id
sg-903004f8
References
Amazon CLI reference:
Other reference:
-
To view and contribute to Amazon SDK and Amazon CLI code examples, see the Amazon Code Examples Repository
on GitHub.