How to change an EC2 instance's security group

Question

I have created a new EC2 instance. It got assigned the default security group. I want to change that security group. How?

possible duplicate of [How to add a security group to a running EC2 Instance?](http://serverfault.com/questions/37088/how-to-add-a-security-group-to-a-running-ec2-instance) — user9517, Feb 19 '11 at 10:58
Not exactly. I STOP the instance but still cannot change the security group. But it appears that an instance's security group **cannot** be changed once the instance is launched, that is, if you assign security group `secA` to the instance, you cannot later change that instance's security group to `secB`. I have not found an AWS document that explicitly states this, though. — user35042, Feb 19 '11 at 17:20
Documentation on the topic can be found here: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html (see the note under the "Adding a Security Group Rule" section) — steenhulthin, Mar 16 '12 at 09:13
While you cannot change which security group is linked to the instance, you CAN edit the linked security group, and the changes take effect immediately, no need to restart the instance. – @romkyns thanks — tgkprog, Dec 25 '14 at 06:44
It can be changed now http://elastic-security.com/2011/04/19/amazon-security-groups-vpc-vs-ec2/ — Pratik Khadloya, Aug 03 '11 at 22:38

score 86 · Accepted Answer · edited Nov 12 '12 at 17:47

86

Unless the instance is in a VPC, security groups can only be chosen before you start your instance for the first time.

Only VPC instances can change security group. For information on VPC see here.

edited Nov 12 '12 at 17:47

Community

1

answered Feb 21 '11 at 10:22

Vitaly Kushner

1,187
9
8

4

As Vitaly says: "After an instance is running, you can't change which security groups it belongs to." (cited [from the reference documentation](http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html)). You could take a snapshot / AMI from the instance and launch it with a different security group, though. – Axel Knauf Feb 21 '11 at 12:50
15

Thanks for the reference, Axel. Although I know you are correct, the wording in the documentation is rather ambiguous: "After an instance is running, you can't change which security groups it belongs to." This suggested to me that if you _stopped_ the instance you could then change the security group. A better way to word this would have been "After an instance has run _for the first time_, you can't change which security groups it belongs to." – user35042 Feb 22 '11 at 06:40
3

While you cannot change which security group is linked to the instance, you CAN edit the linked security group, and the changes take effect immediately, no need to restart the instance. – RomanSt May 04 '14 at 02:50
It's no longer true. You can. – Navern Dec 11 '18 at 12:04

score 57 · Answer 2 · answered Jul 11 '16 at 05:43

57

Now you can change the security group of an EC2 instance from the web console itself.

Select an instance -> right click or click Actions -> Under Networking -> select Change Security Groups

answered Jul 11 '16 at 05:43

Slartibartfast

693
5
8

8

This should be the accepted answer. You can change security groups of an instance – Shrey Feb 02 '17 at 07:32
1

@Shrey The question was asked in 2011 when the web interface wasn't available. The accepted answer was probably the best option then :) – Slartibartfast Feb 02 '17 at 08:39
1

As for 2022, It has changed to Actions -> Security -> Change security groups – Diogo Melo Jun 20 '22 at 23:59

score 5 · Answer 3 · answered Dec 12 '11 at 13:37

For instances launched without a VPC, the Security Group can only be specified at first launch, and cannot be changed afterwards, not even if the instance is stopped first.

For instances launched into a VPC, the group can be changed. However, not all instance types are supported in the VPC - for example, "micro" is not supported as of December 2011.

score 1 · Answer 4 · answered Sep 12 '13 at 15:23

According to the Amazon EC2 documentation, you can update the assigned security group.

After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group.

score 1 · Answer 5 · answered Nov 27 '13 at 23:59

There is a way to accomplish this for an EBS-backed instance in a non-VPC environment, but it's a little painful:

Shutdown the server you want to change.
Right click the server and select Create Image to make an AMI from it.
Once the AMI has been created, right click on the AMI and select Launch Instance.
Choose the new security group as part of provisioning a "new" server.

This only works for EBS-backed instances that persist beyond a stop/start cycle.

score 0 · Answer 6 · answered Mar 15 '20 at 04:21

I just changed the security group of an EC2 instance without even stopping it first. So maybe the policy has changed.

The instance in question was indeed inside a VPC. I didn't manually create that VPC, though. I think the default now is for a new instance to be inside a VPC.

score -2 · Answer 7 · answered Aug 26 '15 at 11:23

-2

Just stop the instance and right click on it:

If it's a vpc instance you will find the option to change the security groups under Networking

answered Aug 26 '15 at 11:23

justSaid

121
1

How to change an EC2 instance's security group

7 Answers7