How to add a security group to a running EC2 Instance?

Question

I have an Amazon EC2 instance running and I will like to add another security group to that instance and then remove the current security group from that instance. Is this possible?

Just to add a few more bits of information. We have two instances joint to two security groups. We want to separate this and dedicate a security group per instance. — Geo, Jul 07 '09 at 15:25

score 105 · Answer 1 · edited Apr 20 '20 at 12:06

105

Update: As of January 2014, you can now change security groups for running AWS EC2 instances.

AWS Console

Simply right-click on an instance, and click on Change Security Group

Change Security Group

Add/remove security groups as appropriate and click Assign Security Groups when done

Select Security groups

EC2 Command Line

Use the following command:

ec2-modify-instance-attribute <instance-id> --group-id <group-id>

AWS Command Line

Use the following command:

aws ec2 modify-instance-attribute --instance-id i-12345 --groups sg-12345 sg-67890

Note, you must specify all security groups with which you'd like the instance associated.

edited Apr 20 '20 at 12:06

Kacper Cichecki

185
1
5

answered Jan 08 '14 at 13:39

hanxue

1,367
2
11
12

5

The "Change Security Groups" option is present in the menu but disabled. I'm using region ap-southeast-2. – Alastair Irvine Jan 30 '14 at 08:45
4

this currently only applies to VPC instances. the security groups that a non-VPC instance belong to are fixed / immutable and are set when it's first launched. the only way to change them is to create a bundle from the existing instance and re-launch a new instance using the bundled ami. – ives Apr 09 '14 at 21:36
2

What if my newly created security group isn't listed in the `Change Security Groups` modal? – 2540625 Dec 08 '15 at 00:02
This option may only be available inside of a VPC. Older AWS accounts that were created pre-vpc and have instances running in EC2 classic mode will not be able to take advantage of this. – cgseller Mar 15 '16 at 19:48
It is confusing that the CLI doesn't use comma-separated lists as in many other places. – user67327 Jul 16 '19 at 14:18
Hey important note: the AWS CLI command listed will ***replace all groups*** with what is specified in the command. I basically just wiped out virtually all of the SGs across a vast swath of my infra. – Sammitch Dec 18 '20 at 00:08

score 58 · Accepted Answer · edited Apr 13 '17 at 12:14

58

Update 2015-02-27:

This is now possible, see the answer below.

Old reply:

Amazon's FAQ says it's not possible to define a security group anywhere but at launch time.

edited Apr 13 '17 at 12:14

Community

1

answered Jul 07 '09 at 15:41

towo

1,887
14
12

1

Thanks, I miss that question when I was browsing the FAQ. Thanks again. – Geo Jul 07 '09 at 15:46
2

This answer is outdated. Now you can modify EC2 VPC Security Groups. See @hanxue answer below. – Diego Fernández Durán Feb 26 '15 at 12:21
Need to update!! See below answer – Axis Jan 04 '19 at 02:49

score 8 · Answer 3 · edited Oct 12 '13 at 19:31

8

It is now possible to do this. Click on the actions menu and Change Security Groups - Select the Security Groups you would like to use.

edited Oct 12 '13 at 19:31

Dan Fried

90
7

answered Oct 11 '13 at 14:14

user193616

81
1
1

3

Only in VPCs, I believe. – ceejayoz Jan 08 '14 at 14:00
It appears so. The "Change Security Groups" option is present in the menu but disabled for non-VPC instances. – Alastair Irvine Jan 30 '14 at 08:41
1

What if my newly created security group isn't listed in the Change Security Groups modal? – 2540625 Dec 08 '15 at 00:03

score 5 · Answer 4 · edited Mar 30 '11 at 14:53

5

Create an AMI image from the instance you want to move to a different security group.
Launch a new instance using that image, now we can assign this new instance to a different security group.
Discard the previous instance.

This requires downtime on your instance. There may be some other options available using the API.

edited Mar 30 '11 at 14:53

answered Mar 10 '11 at 03:20

Rajan

59
1
1

score 5 · Answer 5 · answered Nov 20 '12 at 15:15

As towo said you can't change a security group of an instance anywhere but launch time.

Unless you are using a VPC where security groups differ from EC2 security groups.

This page outlines the differences between EC2 and VPC security groups.

http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

So if you require the extra functionality of the VPC groups (Changing groups, control ingress/engress traffic, etc.), you may want to look at the additional functionality provided by VPCs.

Welcome to Server Fault! Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. — Scott Pack, Nov 21 '12 at 00:55

score 1 · Answer 6 · answered Jun 30 '16 at 16:14

If you are using boto3 you need to call modify_attribute and pass a list of group ids

http://boto3.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Instance.modify_attribute

response = instance.modify_attribute(Groups=['string'])

Groups (list) --
  [EC2-VPC] Changes the security groups of the instance. You must 
  specify at least one security group, even if it's just the default 
  security group for the VPC. You must specify the security group ID,
  not the security group name.

score 1 · Answer 7 · answered Nov 24 '16 at 03:39

As of 2016 Nov 24. above answer given by @hanxue is right but not complete. There are two types of instances in AWS: instances inside private cloud called vpc instances and public instances called Ec2 Classic. You can only change security groups of VPC instances but not EC2-classic. Aws official documentation screenshot you would like to see. docs you would like to see

score 0 · Answer 8 · answered Nov 14 '20 at 21:38

0

In the new AWS GUI, just select the instance that you want to add a security group to, select actions on the top navigation area, then select on security. You are welcome

answered Nov 14 '20 at 21:38

stephen juma

1

score -1 · Answer 9 · answered Nov 29 '19 at 07:34

-1

5 security groups

> You can have 50 inbound and 50 outbound rules per security group > giving a total of 100 combined inbound and outbound. You can assign up > to 5 security groups to a network interface. If you need to increase > or decrease this limit, you can contact AWS Support.

answered Nov 29 '19 at 07:34

Ankit Kumar Rajpoot

129
3

This would be better on a comment to one of the other answers. – Daniel K Nov 29 '19 at 12:36

score -2 · Answer 10 · answered Dec 28 '10 at 11:48

However according the this FAQ "modify the settings for the current security group - which will affect all instances running in the specific group" you can change gradually redefine the existing ones. As I'm trying this now for my scenario through the EC2 console, my records where all erased!