Create a Security Group Using Windows PowerShell
You can use the Amazon Tools for PowerShell to create and configure a security group. When you create a security group, you specify whether it is for EC2-Classic or EC2-VPC. The response is the ID of the security group.
If you need to connect to your instance, you must configure the security group to allow SSH traffic (Linux) or RDP traffic (Windows).
Prerequisites
You need the public IP address of your computer, in CIDR notation. You can get the
public IP address of your local computer using a service. For example, Amazon provides
the following service: http://checkip.amazonaws.com/
If you specify 0.0.0.0/0, you are enabling traffic from any IP
addresses in the world. For the SSH and RDP protocols, you might consider this
acceptable for a short time in a test environment, but it's unsafe for production
environments. In production, be sure to authorize access only from the appropriate
individual IP address or range of addresses.
Creating a Security Group for EC2-Classic
We are retiring EC2-Classic on August 15, 2022. We recommend that you migrate from EC2-Classic to a
VPC. For more information, see Migrate from EC2-Classic to a VPC in the
Amazon EC2 User Guide for Linux Instances or the Amazon EC2 User Guide for Windows Instances. Also see the blog post EC2-Classic Networking is Retiring
– Here's How to Prepare
The following example uses the New-EC2SecurityGroup cmdlet to create a
security group for EC2-Classic.
PS >New-EC2SecurityGroup -GroupName myPSSecurityGroup -GroupDescription "EC2-Classic from PowerShell"sg-0a346530123456789
To view the initial configuration of the security group, use the
Get-EC2SecurityGroup cmdlet.
PS >Get-EC2SecurityGroup -GroupNames myPSSecurityGroupDescription : EC2-Classic from PowerShell GroupId : sg-0a346530123456789 GroupName : myPSSecurityGroup IpPermissions : {} IpPermissionsEgress : {Amazon.EC2.Model.IpPermission} OwnerId : 123456789012 Tags : {} VpcId : vpc-9668ddef
To configure the security group to allow inbound traffic on TCP port 22 (SSH) and TCP
port 3389, use the Grant-EC2SecurityGroupIngress cmdlet. For example, the
following example script shows how you could enable SSH traffic from a single IP
address, 203.0.113.25/32.
$cidrBlocks = New-Object 'collections.generic.list[string]' $cidrBlocks.add("203.0.113.25/32") $ipPermissions = New-Object Amazon.EC2.Model.IpPermission $ipPermissions.IpProtocol = "tcp" $ipPermissions.FromPort = 22 $ipPermissions.ToPort = 22 ipPermissions.IpRanges = $cidrBlocks Grant-EC2SecurityGroupIngress -GroupName myPSSecurityGroup -IpPermissions $ipPermissions
To verify the security group was updated, run the Get-EC2SecurityGroup
cmdlet again. Note that you can't specify an outbound rule for
EC2-Classic.
PS >Get-EC2SecurityGroup -GroupNames myPSSecurityGroupOwnerId : 123456789012 GroupName : myPSSecurityGroup GroupId : sg-0a346530123456789 Description : EC2-Classic from PowerShell IpPermissions : {Amazon.EC2.Model.IpPermission} IpPermissionsEgress : {} VpcId : Tags : {}
To view the security group rule, use the IpPermissions property.
PS >(Get-EC2SecurityGroup -GroupNames myPSSecurityGroup).IpPermissionsIpProtocol : tcp FromPort : 22 ToPort : 22 UserIdGroupPairs : {} IpRanges : {203.0.113.25/32}
Creating a Security Group for EC2-VPC
The following New-EC2SecurityGroup example adds the -VpcId
parameter to create a security group for the specified VPC.
PS >$groupid = New-EC2SecurityGroup ` -VpcId "vpc-da0013b3" ` -GroupName "myPSSecurityGroup" ` -GroupDescription "EC2-VPC from PowerShell"
To view the initial configuration of the security group, use the
Get-EC2SecurityGroup cmdlet. By default, the security group for a VPC
contains a rule that allows all outbound traffic. Notice that you can't reference a
security group for EC2-VPC by name.
PS >Get-EC2SecurityGroup -GroupId sg-5d293231OwnerId : 123456789012 GroupName : myPSSecurityGroup GroupId : sg-5d293231 Description : EC2-VPC from PowerShell IpPermissions : {} IpPermissionsEgress : {Amazon.EC2.Model.IpPermission} VpcId : vpc-da0013b3 Tags : {}
To define the permissions for inbound traffic on TCP port 22 (SSH) and TCP port 3389,
use the New-Object cmdlet. The following example script defines permissions
for TCP ports 22 and 3389 from a single IP address, 203.0.113.25/32.
$ip1 = new-object Amazon.EC2.Model.IpPermission $ip1.IpProtocol = "tcp" $ip1.FromPort = 22 $ip1.ToPort = 22 $ip1.IpRanges.Add("203.0.113.25/32") $ip2 = new-object Amazon.EC2.Model.IpPermission $ip2.IpProtocol = "tcp" $ip2.FromPort = 3389 $ip2.ToPort = 3389 $ip2.IpRanges.Add("203.0.113.25/32") Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip1, $ip2 )
To verify the security group has been updated, use the
Get-EC2SecurityGroup cmdlet again.
PS >Get-EC2SecurityGroup -GroupIds sg-5d293231OwnerId : 123456789012 GroupName : myPSSecurityGroup GroupId : sg-5d293231 Description : EC2-VPC from PowerShell IpPermissions : {Amazon.EC2.Model.IpPermission} IpPermissionsEgress : {Amazon.EC2.Model.IpPermission} VpcId : vpc-da0013b3 Tags : {}
To view the inbound rules, you can retrieve the IpPermissions property
from the collection object returned by the previous command.
PS >(Get-EC2SecurityGroup -GroupIds sg-5d293231).IpPermissionsIpProtocol : tcp FromPort : 22 ToPort : 22 UserIdGroupPairs : {} IpRanges : {203.0.113.25/32} IpProtocol : tcp FromPort : 3389 ToPort : 3389 UserIdGroupPairs : {} IpRanges : {203.0.113.25/32}