How to Modify Security Groups for Running EC2 Instances in AWS


2 views

When you launch a new EC2 instance in AWS, it automatically gets assigned the default security group if no specific group is specified. The default security group typically has minimal inbound/outbound rules, which may not meet your application's security requirements.

There are two main approaches to modify security groups for an EC2 instance:

Method 1: Using AWS Management Console

  1. Navigate to EC2 Dashboard
  2. Select "Instances" from the left menu
  3. Choose your target instance
  4. Click "Actions" > "Security" > "Change security groups"
  5. Select/deselect security groups from the list
  6. Click "Save" to apply changes

Method 2: Using AWS CLI

For automation purposes, you can use the modify-instance-attribute command:


aws ec2 modify-instance-attribute \
    --instance-id i-1234567890abcdef0 \
    --groups sg-903004f8 sg-1a2b3c4d
  • Instance State: The instance must be in stopped state to change its primary security group
  • Network Interfaces: For running instances, you can modify security groups associated with ENIs
  • Impact Assessment: Changing security groups may temporarily disrupt network connectivity

EC2 instances can have up to 5 security groups. Here's how to add additional groups:


# Get current security groups
INSTANCE_ID="i-1234567890abcdef0"
CURRENT_SGS=$(aws ec2 describe-instances \
    --instance-ids $INSTANCE_ID \
    --query 'Reservations[0].Instances[0].SecurityGroups[*].GroupId' \
    --output text)

# Add new security group while preserving existing ones
aws ec2 modify-instance-attribute \
    --instance-id $INSTANCE_ID \
    --groups $CURRENT_SGS sg-903004f8

Error: InvalidGroup.NotFound - Verify the security group ID exists in the same VPC as your instance.

Error: OperationNotPermitted - Check IAM permissions for ec2:ModifyInstanceAttribute and ec2:DescribeSecurityGroups.

When launching a new EC2 instance, AWS automatically assigns the default security group if none is specified. Security groups act as virtual firewalls controlling inbound and outbound traffic. Unlike network ACLs, security groups are stateful - meaning return traffic is automatically allowed.

There are two principal approaches to change security groups for an EC2 instance:

Through AWS Management Console

  1. Navigate to EC2 Dashboard → Instances
  2. Select the target instance
  3. Click "Actions" → "Security" → "Change security groups"
  4. Select/deselect security groups (you can assign up to 5)
  5. Click "Save"

Using AWS CLI

For automation scenarios, use the modify-instance-attribute command:

aws ec2 modify-instance-attribute \
--instance-id i-1234567890abcdef0 \
--groups sg-903004f8 sg-1a2b3c4d
  • Changes take effect immediately
  • You cannot remove all security groups - at least one must remain
  • The instance must be in the running or stopped state
  • Modifying security groups won't cause instance reboot

If you encounter "InvalidGroup.NotFound" errors, verify:

aws ec2 describe-security-groups \
--group-ids sg-903004f8 sg-1a2b3c4d
  • Create custom security groups instead of using default
  • Implement least-privilege principles
  • Use security group references instead of CIDR blocks when possible
  • Consider using AWS Systems Manager for batch operations