Add an ECS instance to a security group - Elastic Compute Service

Security groups are an important means for security isolation. Security groups are used to control access to and from one or more Elastic Compute Service (ECS) instances. You can add an ECS instance to one or more security groups based on your business needs. Each ECS instance must belong to at least one security group. By default, each instance can belong to up to five security groups.

Prerequisites

Before you add an ECS instance to a security group, make sure that the following requirements are met:

An instance is created. For more information, see Create an instance by using the wizard.
The ECS instance and the security group to which you want to add the instance are of the same network type. If the network type is Virtual Private Cloud (VPC), the security group and the ECS instance must reside in the same VPC.
If the ECS instance already belongs to a security group, this new security group must be of the same type as the security group to which the ECS instance already belongs. For more information, see Overview.

Add an instance to one or more security groups

Perform the following steps to add an instance to one or more security groups on the Instances page.

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select a region.
On the Instances page, find the ECS instance that you want to add to security groups. You can use one of the following methods to add the instance to security groups:
- Add the instance to security groups on the Security Groups tab of the Instance Details page.
  1. On the Instances page, click the instance ID in the Instance ID/Name column.
  2. On the Instance Details page, click the Security Groups tab.
  3. Click Add to Security Group.
- Add the instance to security groups on the Instances page.
  Choose More > Network and Security Group > Add to Security Group in the Actions column.
In the Add to Security Group dialog box, select a security group from the Security Group drop-down list.
To add the ECS instance to multiple security groups, select a security group and click Join Multiple Security Groups. The selected security group is automatically added to the selection box that appears. Repeat this operation to add more security groups to the selection box.
Click OK.
After the ECS instance is added to the selected security groups, the security groups rules in the security groups automatically apply to the instance.

Add one or more instances to the same security group

Perform the following steps to add one or more instances to the same security group on the Security Groups page.

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Security Groups.
In the top navigation bar, select a region.
Find the security group to which you want to add instances and click Manage Instances in the Actions column.
In the upper-right corner of the Instances in Security Group page, click Add Instance.
In the Add Instance dialog box, select an instance ID and click OK.
To add multiple ECS instances to the security group, click Add Instance to add more ECS instances.
After the ECS instances are added to the security group, the security group rules in the security group automatically apply to these ECS instances.

What to do next

You can view all security groups that you create within a region. For more information, see Query security groups.
You can remove an instance from one or more security groups. After an ECS instance is removed from a security group, the instance is isolated from the other ECS instances in the security group. To ensure that services run properly after an ECS instance is removed, we recommend that you perform sufficient tests before you remove the ECS instance. For more information, see Remove an instance from a security group.
You can delete security groups that are no longer needed. When a security group is deleted, its rules are also deleted. For more information, see Delete a security group.