Is it still ok to use AWS::RDS::DBSecurityGroup in CloudFormation templates?


I'm wondering if it's still ok to use AWS::RDS::DBSecurityGroup in cloudformation templates. I've seen conflicting answers when I search.

Some folks say that DBSecurityGroup should not be used while the AWS documentation references it liberally (

Other folks say that "VPCSecurityGroups" should be used instead.

I see that if I use DBSecurityGroup in us-east-1, things work but if I use it in us-east-2, CF errors out.

Is there anyone that can help clarify things for me?

Thanks so much!

1 Answer


"AWS::RDS::DBSecurityGroup" is a resource created exclusively for EC2-Classic.
EC2-Classic is already obsolete, so if you want to create it in a new VPC, etc., you need to create it using "VPCSecurityGroups".

If you set DBSecurityGroups, you must not set VPCSecurityGroups, and vice versa. Also, note that the DBSecurityGroups property exists only for backwards compatibility with older regions and is no longer recommended for providing security information to an RDS DB instance. Instead, use VPCSecurityGroups.

profile picture
answered 5 months ago
profile pictureAWS
reviewed 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions