How to add a security group to a running EC2 Instance?

Update 2015-02-27:

This is now possible, see the answer below.

Old reply:

Amazon's FAQ says it's not possible to define a security group anywhere but at launch time.


Update: As of January 2014, you can now change security groups for running AWS EC2 instances.

AWS Console

Simply right-click on an instance, and click on Change Security Group

Change Security Group

Add/remove security groups as appropriate and click Assign Security Groups when done

Select Security groups


EC2 Command Line

Use the following command:

ec2-modify-instance-attribute <instance-id> --group-id <group-id>

AWS Command Line

Use the following command:

aws ec2 modify-instance-attribute --instance-id i-12345 --groups sg-12345 sg-67890

Note, you must specify all security groups with which you'd like the instance associated.


It is now possible to do this. Click on the actions menu and Change Security Groups - Select the Security Groups you would like to use.


  1. Create an AMI image from the instance you want to move to a different security group.
  2. Launch a new instance using that image, now we can assign this new instance to a different security group.
  3. Discard the previous instance.

This requires downtime on your instance. There may be some other options available using the API.


As towo said you can't change a security group of an instance anywhere but launch time.

Unless you are using a VPC where security groups differ from EC2 security groups.

This page outlines the differences between EC2 and VPC security groups.

http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

So if you require the extra functionality of the VPC groups (Changing groups, control ingress/engress traffic, etc.), you may want to look at the additional functionality provided by VPCs.