Sorry for hijacking the question, however I think Daniel's question is missing a few bits:

My understanding is, when you create a SG in AWS using CloudFormation you won't have control over the GroupName, it will be something like "stackname-logicalid-xxxxxxxxxxxx-elasticbamboo-xxxxxxxxxxxx".

How does Bamboo identify the right SG to attach?

• Does it look for a GroupName of "elasticbamboo" exactly?
• Does it store the id of the SG it creates?

Is there a way to tell Bamboo to use a different SG from the one it creates?

Is there a way to tell Bamboo to use a more than one SG?

It has to be called elasticbamboo. There's one more group used by Bamboo - ControlledByBamboo, you can't tell it to use more groups.

Thanks Przemek, however the solution still isn't clear for me.

So it uses the GroupName exactly, and does not care about the id of the group?

And there's no way to tell Bamboo to use a different group, or a collection of groups?

You say there's a group called ControlledByBamboo however I can't find documentation about it https://confluence.atlassian.com/dosearchsite.action?where=BAMBOO&spaceSearch=true&queryString=ControlledByBamboo

At this stage I'm thinking of modifying the Security Groups attached to the elastic image on boot is probably the best option, would you agree?

I'm thinking something like:
aws ec2 modify-instance-attribute --instance-id i-123 --groups sg-456 sg-789

Yes, it uses the group name. No, there's no way to use a different group.

ControlledByBamboo is not really meant to be used, so it's not documented.

If instance attr modification works, it sounds like a plan. Bamboo doesn't care about the instance security groups after the launch request is placed.