I created another SG and attached to the same VPC, but that won't work. The only alternative I see for now is to attach another network interface with a pubIP and add the second SG there. Is any way of increasing the limit of first SG rules limit in the primary network interface of the instance.
Okay found the solution. After you create a security group, and you attach it to the same VPC where the network interface for the instance is, and the same region, etc. Then, you go to network interfaces, right click, or select and click the action button, you click the Change Security Group, but this is tricky, you will think that you can only change from one to another group, but if you press CTRL and hold, you can select two or three groups and then click save, that will attach those security groups to the same interface.
Related
An EFS file system was temporarily setup for use with two EC2 instances in different availability zones. Security groups were automatically created for each subnet within the region to which the EFS was launched. This region has three availability zones so three subnets and thus three security groups. Looking at the security groups description details the SGs' creation:
The EFS and the EC2s to which the EFS was attached have now all been terminated/deleted. However when attempting to delete the security groups I get the following notification for each:
Clicking on the link "1 security group associated" for details the of why security group sg-053f4a90837fda586 cannot be deleted shows that the associated security group is sg-0f481995d4e99ac12. Upon attempting to delete sg-0f481995d4e99ac12, the same information says that it cannot be deleted as it is associated with sg-053f4a90837fda586. So sg-053f4a90837fda586 cannot be deleted because sg-0f481995d4e99ac12 exists and vice-versa.
Attempting to delete both at the same time gives the same issue:
What is the error in my approach?
This error can happen when the security group you are trying to delete is referenced in a rule of another security group.
To fix this, in each security group remove the rule that is referencing the other group.
Then, delete the security groups themselves.
As far as I can see, you might be using default SG, which is unable to be deleted, as mentioned here:
Troubleshoot delete SG
All VPCs have a default security group. If you don't specify a different security group when you launch the instance, a default security group is automatically associated with your instance. You can't delete a default security group. But, you can change the default security group's rules.
I have a carefully crafted and secure Default Security Group that should be used for this new ec2 instance. However none of my existing SG's are included in the Configure Security Group screen. Instead two new ones are shown that are worse than useless
Port 80 open to the world ??
Why are my existing security group's not displayed? Note I have checked the Region is the correct one containing the properly constructed SG's.
Based on the comments.
Security groups (SGs) are VPC specific. Thus, the issue was caused by launching an instance in a different VPC then intended. Subsequently, expected SGs were not available for the instance.
The solution was to use correct VPC.
I want to delete a security group, sg-d578d9ab, in my AWS account.
I got the following message when trying to delete it.
These security groups are associated with one or more network
interfaces. Delete the network interfaces, or associate them with
different security groups. View your network interfaces.
In order to solve the problem, I opened the Network Interfaces page to see which network interface is using sg-d578d9ab.
It turns out there's 1 network interface that's using the security group.
Then I use Change Security Groups option to dissociate the security group from the network interface.
Then I got a message saying
You do not have permission to access the specified resource.
Why can't I change the security group of the network interface?
My AWS account has AdministratorAccess permission.
The Attachment owner and Owner ID properties of the network interface are amazon-rds. This seems to be the reason I can't change its security group.
Does this mean that the network interface is created when someone else sets up an AWS RDS?
The security group, sg-d578d9ab, is used by one of my RDS instances.
After dissociating the RDS instance and the security group. I'm able to delete the security group.
Saw the same error, but from a VPC endpoint. After dissociating the VPC endpoint from the security group, I was able to delete the security group.
I have a running EC2 instance with few security groups added. What I want to do is to remove one of the security group and add a new one.
I think there will be no problem in adding a new security group. But is it possible to remove a security group without terminating existing ec2 instance and creating a new one from the ami ?
yes, it is possible both to add and remove security group. In AWS web console go to EC2 Instances page, right click on instance you want to change -> Networking -> Change Security Group
You can easily check that it is done without terminating or even stopping the instance.
FWIW, you can also change the inbound/outbound rules of the current security group instead of removing it and adding a new one. Changes to inbound/outbound rules also take effect immediately with no need to stop EC2.
From the AWS documentation this is how you can remove a security group from a insance:
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Instances.
Select your instance, and then choose Actions, Security, Change
security groups.
For Associated security groups, select a security group from the
list and choose Add security group.
To remove an already associated security group, choose Remove for
that security group.
Choose Save.
I was trying to configure my EB to talk to an external RDS instance. Found an AWS document but found it's way too complicated, and many descriptions don't match what I have on the AWS configuration pages. Since I have configured to access RDS from ec2 and from my local machine before, I know I just need to find the security group of my EB instance and add it to RDS security group's Inbound access rules. However, while I searched hard I cannot find where the EB instance security group is. The closest thing I can find is a dash connected 6-part long string in the Instance Configuration page in the EB environment dashboard. But copying this long string RDS access rule is rejected as non-valid.
Eventually I found the security group of the EB which I can add into RDS access rules. It's not straightforward, but it's indeed related to the security group on the Instance Configuration page of the EB environment. First on EB environment page, tap the Configuration button, and tap the gear button on the Instance Configuration panel
Once on the Instance configuration detail page, find the EC2 security groups entry, copy part of the string, like the erased part in this picture
Then open another window and go to the RDS instance dashboard, tap on the Configuration Detail, find the Security Group and tap into it. On the bottom of the Security Group configuration page, Edit the rules and add a new Inbound rule, paste the copied partial EB security group into it, the browser will automatically prompt the correct security group in the sg-xxxx format. Select it and configure the Type as either All Traffic or of your particular DB type, and Voila, your EB instance can now talk to the RDS.