Configure security group rules

After you create a security group, you can add, update, and delete its security group rules. When you add, update, or delete a rule, the change is automatically applied to the resources that are associated with the security group.

Required permissions

Before you begin, ensure that you have the required permissions. For more information, see Manage security group rules.

Sources and destinations

You can specify the following as sources for inbound rules or destinations for outbound rules.

Custom – A IPv4 CIDR block, and IPv6 CIDR block, another security group, or a prefix list.
Anywhere-IPv4 – The 0.0.0.0/0 IPv4 CIDR block.
Anywhere-IPv6 – The ::/0 IPv6 CIDR block.
My IP – The public IPv4 address of your local computer.

Warning

If you choose Anywhere-IPv4, you allow traffic from all IPv4 addresses. If you choose Anywhere-IPv6, you allow traffic from all IPv6 addresses. It is a best practice to authorize only the specific IP address ranges that need access to your resources.

To configure security group rules using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Security groups.
Select the security group.
To edit the inbound rules, choose Edit inbound rules from Actions or the Inbound rules tab.
1. To add a rule, choose Add rule and enter the type, protocol, port, and source for the rule.
  
  If the type is TCP or UDP, you must enter the port range to allow. For custom ICMP, you must choose the ICMP type name from Protocol, and, if applicable, the code name from Port range. For any other type, the protocol and port range are configured for you.
2. To update a rule, change its protocol, description, and source as needed. However, you can't change the source type. For example, if the source is an IPv4 CIDR block, you can't specify an IPv6 CIDR block, a prefix list, or a security group.
3. To delete a rule, choose its Delete button.
To edit the outbound rules, choose Edit outbound rules from Actions or the Outbound rules tab.
1. To add a rule, choose Add rule and enter the type, protocol, port, and destination for the rule. You can also enter an optional description.
  
  If the type is TCP or UDP, you must enter the port range to allow. For custom ICMP, you must choose the ICMP type name from Protocol, and, if applicable, the code name from Port range. For any other type, the protocol and port range are configured for you.
2. To update a rule, change its protocol, description, and source as needed. However, you can't change the source type. For example, if the source is an IPv4 CIDR block, you can't specify an IPv6 CIDR block, a prefix list, or a security group.
3. To delete a rule, choose its Delete button.
Choose Save rules.

To configure security group rules using the AWS CLI

Add – Use the authorize-security-group-ingress and authorize-security-group-egress commands.
Remove – Use the revoke-security-group-ingress and revoke-security-group-egress commands.
Modify – Use the modify-security-group-rules, update-security-group-rule-descriptions-ingress, and update-security-group-rule-descriptions-egresscommands.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create a security group

Delete a security group