If an instance has multiple security groups, it has the sum of all rules in the various groups.
For example, lets say I have a class of instances that will only ever talk to other instances in the same account. I also have a class of instances that will only accept traffic via http (port 80).
This is a perfect situation for AWS Virtual Private Cloud. Put the internal instances in private subnets, and the public-facing instances in public subnets.
Referencing the default security group is possible using:
{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }
Where "VPC" is your VPC resource name.
With AWS::EC2::SecurityGroupIngress
and AWS::EC2::SecurityGroupEgress
, you can augment the permissions of this default security group.
I think this is what you want:
"VPCDefaultSecurityGroupIngress": {
"Type" : "AWS::EC2::SecurityGroupIngress",
"Properties" : {
"GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
"IpProtocol":"tcp",
"FromPort":"22",
"ToPort":"22",
"CidrIp":"0.0.0.0/0"
}
},
As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.
I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.
Best Answer
It's usually easiest to pay for a static IP. You can use a static IP but it means changing it regularly.
Add your static or dynamic IP to a new security group. Assign that security group to all resources you want to log into. Security groups are additive.
Your question isn't really very clear on what you've done so I can't say what's wrong.
You have replied in comments
A security group is basically a firewall around a single ENI (elastic network interface). It's not a subnet, it's not a proxy, it's pretty simple. Also, AWS networking is not transitive, traffic doesn't hop around like you might want it to.
Your plan will not work unless you have a bastion host / server running in your "MyGroup" security group. If you want a separate security group with your home IP in it (which is what I do in my personal AWS account) you have to make sure every instance has that security group associated with it. Putting a rule in that allows ingress from / egress to that group does not achieve what you're trying to do.
Allowing security groups to reference other security groups is really useful for some things. I often use them as tiers like subnets used to be used in on-premise networks. I'd have a SG for the load balancer, the app server, and the DB server, all allowing appropriate ingress / egress from other SGs and the LB allowing ingress from the internet.