Migrating Security Groups Across Regions or Accounts

A security group controls the traffic that is allowed to reach and leave the cloud instances (such as ECSs, containers, and databases) that it is associated with. As your business expands, for example, you need to deploy resources across regions or change accounts due to organizational structure adjustment, you may need to migrate security groups from one region to another or from one account to another. To migrate security groups efficiently, you are advised to import and export security groups or clone security groups. Table 1 describes the two migration methods.

**Table 1** Cross-region and cross-account security group migration
Method	Scenario	Description	Constraints	Reference
Importing and exporting security group rules	Account: Migrating under the same account or across accounts Region: Migrating within the same region or across regions	Export the rules of the original security group to an Excel file. Create a new security group. Import the rules in the Excel file to the new security group. Manually add rules that cannot be imported.	If you import rules to a security group from the same region and under the same account, you can import all rules. If there are rules that already exist in the security group, they will not be imported again. If you want to import rules of the security group in one region to another under the same account, rules with Source or Destination set to an IP address group or another security group cannot be imported. If you want to import rules of the security group in one account to another account, rules with Source or Destination set to an IP address group or another security group cannot be imported.	Creating a Security Group Importing and Exporting Security Group Rules Adding a Security Group Rule
Cloning a security group	Account: Migrating under the same account Region: Migrating within the same region or across regions	Select the original security group and clone it in the target region. Manually add rules that cannot be cloned.	If you want to clone a security group from the same region, you can clone all rules in the security group. If you want to clone a security group from a different region, the system will clone only rules with source or destination set to IP addresses or the current security group. Rules with source or destination set to an IP address group or another security group will not be cloned.	Cloning a Security Group Adding a Security Group Rule