I have created a new EC2 instance. It got assigned the default
security group. I want to change that security group. How?
- 2,601
- 10
- 32
- 57
-
possible duplicate of [How to add a security group to a running EC2 Instance?](http://serverfault.com/questions/37088/how-to-add-a-security-group-to-a-running-ec2-instance) – user9517 Feb 19 '11 at 10:58
-
1Not exactly. I STOP the instance but still cannot change the security group. But it appears that an instance's security group **cannot** be changed once the instance is launched, that is, if you assign security group `secA` to the instance, you cannot later change that instance's security group to `secB`. I have not found an AWS document that explicitly states this, though. – user35042 Feb 19 '11 at 17:20
-
Documentation on the topic can be found here: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html (see the note under the "Adding a Security Group Rule" section) – steenhulthin Mar 16 '12 at 09:13
-
Run it in a VPC. – ceejayoz Sep 12 '13 at 15:29
-
While you cannot change which security group is linked to the instance, you CAN edit the linked security group, and the changes take effect immediately, no need to restart the instance. – @romkyns thanks – tgkprog Dec 25 '14 at 06:44
-
It can be changed now http://elastic-security.com/2011/04/19/amazon-security-groups-vpc-vs-ec2/ – Pratik Khadloya Aug 03 '11 at 22:38
-
It can only be changed for VPC. – steenhulthin Mar 16 '12 at 09:19
7 Answers
Unless the instance is in a VPC, security groups can only be chosen before you start your instance for the first time.
Only VPC instances can change security group. For information on VPC see here.
- 1,187
- 9
- 8
-
4As Vitaly says: "After an instance is running, you can't change which security groups it belongs to." (cited [from the reference documentation](http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html)). You could take a snapshot / AMI from the instance and launch it with a different security group, though. – Axel Knauf Feb 21 '11 at 12:50
-
15Thanks for the reference, Axel. Although I know you are correct, the wording in the documentation is rather ambiguous: "After an instance is running, you can't change which security groups it belongs to." This suggested to me that if you _stopped_ the instance you could then change the security group. A better way to word this would have been "After an instance has run _for the first time_, you can't change which security groups it belongs to." – user35042 Feb 22 '11 at 06:40
-
3While you cannot change which security group is linked to the instance, you CAN edit the linked security group, and the changes take effect immediately, no need to restart the instance. – RomanSt May 04 '14 at 02:50
-
Now you can change the security group of an EC2 instance from the web console itself.
Select an instance -> right click or click Actions -> Under Networking -> select Change Security Groups
- 693
- 5
- 8
-
8This should be the accepted answer. You can change security groups of an instance – Shrey Feb 02 '17 at 07:32
-
1@Shrey The question was asked in 2011 when the web interface wasn't available. The accepted answer was probably the best option then :) – Slartibartfast Feb 02 '17 at 08:39
-
1As for 2022, It has changed to Actions -> Security -> Change security groups – Diogo Melo Jun 20 '22 at 23:59
For instances launched without a VPC, the Security Group can only be specified at first launch, and cannot be changed afterwards, not even if the instance is stopped first.
For instances launched into a VPC, the group can be changed. However, not all instance types are supported in the VPC - for example, "micro" is not supported as of December 2011.
- 1,195
- 1
- 13
- 32
According to the Amazon EC2 documentation, you can update the assigned security group.
After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group.
- 639
- 2
- 6
- 19
There is a way to accomplish this for an EBS-backed instance in a non-VPC environment, but it's a little painful:
- Shutdown the server you want to change.
- Right click the server and select Create Image to make an AMI from it.
- Once the AMI has been created, right click on the AMI and select Launch Instance.
- Choose the new security group as part of provisioning a "new" server.
This only works for EBS-backed instances that persist beyond a stop/start cycle.
- 111
- 2
I just changed the security group of an EC2 instance without even stopping it first. So maybe the policy has changed.
The instance in question was indeed inside a VPC. I didn't manually create that VPC, though. I think the default now is for a new instance to be inside a VPC.
- 1
- 1
Just stop the instance and right click on it:
- If it's a vpc instance you will find the option to change the security groups under Networking
- 121
- 1