Work with security groups
The following tasks show you how to work with security groups.
Tasks
Required permissions
Before you begin, ensure that you have the required permissions.
The rules of a security group control the inbound traffic that's allowed to reach the resources that are associated with the security group. For more information about security group rules, see Security group rules.
Create a security group
By default, new security groups start with only an outbound rule that allows all traffic to leave the resource. You must add rules to enable any inbound traffic or to restrict the outbound traffic.
To create a security group using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Security groups.
-
Choose Create security group.
-
Enter a name and description for the security group. You cannot change the name and description of a security group after it is created.
-
From VPC, choose a VPC. The security group can be used only in the VPC for which it is created.
-
You can add security group rules now, or you can add them later. For more information, see Add rules to a security group.
-
You can add tags now, or you can add them later. To add a tag, choose Add new tag and enter the tag key and value.
-
Choose Create security group.
After you create a security group, you may want to do one of the following:
Assign the security group to an EC2 instance when you launch the instance or change the security group currently assigned to an instance. For more information, see Launch an instance or Change security groups in the Amazon EC2 User Guide for Linux Instances.
Add security group rules. The rules of a security group control the inbound traffic that's allowed to reach the resources that are associated with the security group. For more information about security group rules, see Work with security group rules.
To create a security group using the AWS CLI
Use the create-security-group command.
View your security groups
You can view information about your security groups as follows.
To view your security groups using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Security groups.
-
Your security groups are listed. To view the details for a specific security group, including its inbound and outbound rules, select the security group. For more information about updating security group rules, see Update security group rules.
To view all of your security groups across Regions
Open the Amazon EC2 Global View console at
https://console.aws.amazon.com/ec2globalview/home
To view your security groups using the AWS CLI
Use the describe-security-groups and describe-security-group-rules command.
Tag your security groups
Add tags to your resources to help organize and identify them, such as by purpose, owner, or environment. You can add tags to your security groups. Tag keys must be unique for each security group. If you add a tag with a key that is already associated with the rule, it updates the value of that tag.
To tag a security group using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Security groups.
-
Select the check box for the security group.
-
Choose Actions, Manage tags. The Manage tags page displays any tags that are assigned to the security group.
-
To add a tag, choose Add new tag and enter the tag key and tag value. To delete a tag, choose Remove next to the tag to delete.
-
Choose Save changes.
To tag a security group using the AWS CLI
Use the create-tags command.
Delete a security group
You can delete a security group only if it is not associated with any resources. You can't delete a default security group.
If you're using the console, you can delete more than one security group at a time. If you're using the command line or the API, you can delete only one security group at a time.
To delete a security group using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Security groups.
-
Select the security group and choose Actions, Delete security groups.
-
When prompted for confirmation, choose Delete.
To delete a security group using the AWS CLI
Use the delete-security-group command.
Manage security groups using Firewall Manager
AWS Firewall Manager simplifies your security group administration and maintenance tasks across multiple accounts and resources. With Firewall Manager, you can configure and audit the security groups for your organization from a single central administrator account. Firewall Manager automatically applies the rules and protections across your accounts and resources, even as you add new resources. Firewall Manager is particularly useful when you want to protect your entire organization, or if you frequently add new resources that you want to protect from a central administrator account.
You can use Firewall Manager to centrally manage security groups in the following ways:
Configure common baseline security groups across your organization: You can use a common security group policy to provide a centrally controlled association of security groups to accounts and resources across your organization. You specify where and how to apply the policy in your organization.
Audit existing security groups in your organization: You can use an audit security group policy to check the existing rules that are in use in your organization's security groups. You can scope the policy to audit all accounts, specific accounts, or resources tagged within your organization. Firewall Manager automatically detects new accounts and resources and audits them. You can create audit rules to set guardrails on which security group rules to allow or disallow within your organization, and to check for unused or redundant security groups.
Get reports on non-compliant resources and remediate them: You can get reports and alerts for non-compliant resources for your baseline and audit policies. You can also set auto-remediation workflows to remediate any non-compliant resources that Firewall Manager detects.
To learn more about using Firewall Manager to manage your security groups, see the following resources in the AWS Firewall Manager developer guide:
