Referencing the default security group is possible using:
{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }
Where "VPC" is your VPC resource name.
With AWS::EC2::SecurityGroupIngress
and AWS::EC2::SecurityGroupEgress
, you can augment the permissions of this default security group.
I think this is what you want:
"VPCDefaultSecurityGroupIngress": {
"Type" : "AWS::EC2::SecurityGroupIngress",
"Properties" : {
"GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
"IpProtocol":"tcp",
"FromPort":"22",
"ToPort":"22",
"CidrIp":"0.0.0.0/0"
}
},
As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.
I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.
Am I doing something wrong or is the AWS VPC ec2 instances not able to
reach any of the AWS managed services (s3/sns/sqs) without a public
route to the Internet Gateway in the routetable?
That's correct. If you need to use those services, your instances will need EIPs or public IPs or you'll need a NAT host in your VPC. A VPC is truly private, and it operates in the same manner a well-maintained corporate network does: only allowing traffic that you explicitly allow.
It's worth noting: managed services like RDS, Elasticache, Redshift, etc, can indeed run within your VPC.
Best Answer
Nah you can't, there's nothing to refer to anyway (e.g. logical ID). Just create your own main table ;-).
This is probably one of the reason it can't be used: