AWS CloudFormation: VPC default security group

Solution 1:

Referencing the default security group is possible using:

{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }

Where "VPC" is your VPC resource name.

With AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress, you can augment the permissions of this default security group.

I think this is what you want:

"VPCDefaultSecurityGroupIngress": {
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
    "IpProtocol":"tcp",
    "FromPort":"22",
    "ToPort":"22",
    "CidrIp":"0.0.0.0/0"
  }
},

As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.

I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.

Solution 2:

Well, as it turns out, AWS support replied and informed me that they recognize that this is a feature gap in CloudFormation, and it has been submitted to the development team as a feature request.

So until this feature is implemented, the workaround is to create your own "default" security group that replicates the same behavior as the "real" default SG. Unfortunately, due to the self-referential aspect of this setup, it is still not possible to do within one single stack deployment. The alternative is to deploy the stack once, without assigning the default security group your instances. Then once the stack is created (and you've had a chance to see what the Security Group ID for default is), you can add that SG ID to your instances.