CloudFormation Scripting - Creating an instance from AMI

Im curious if anyone has experience with CloudFormation. Im trying to create a script that takes an encrypted private AMI and creates an instance from it. This script has to assign security group, save the script to a specific location in the s3 and add IAM role.

I have been using the LAMP_Single_Instance as a basis but i cant get my head around it. Im curious if someone can help.

Where and how to i assign a security group in the script and how to i set the default save location for the template in the s3.

  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "AWS CloudFormation AITS Script, thats creates ec2 instances",
  "Parameters": {
    "KeyName": {
      "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
      "Type": "AWS::EC2::KeyPair::KeyName",
      "ConstraintDescription": "EC2 KeyPair."
    "DBName": {
      "Default": "MyDatabase",
      "Description": "MySQL database name",
      "Type": "String",
      "MinLength": "1",
      "MaxLength": "64",
      "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
      "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters."
    "DBUser": {
      "NoEcho": "true",
      "Description": "Username for MySQL database access",
      "Type": "String",
      "MinLength": "1",
      "MaxLength": "16",
      "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
      "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters."
    "DBPassword": {
      "NoEcho": "true",
      "Description": "Password for MySQL database access",
      "Type": "String",
      "MinLength": "1",
      "MaxLength": "41",
      "AllowedPattern": "[a-zA-Z0-9]*",
      "ConstraintDescription": "must contain only alphanumeric characters."
    "DBRootPassword": {
      "NoEcho": "true",
      "Description": "Root password for MySQL",
      "Type": "String",
      "MinLength": "1",
      "MaxLength": "41",
      "AllowedPattern": "[a-zA-Z0-9]*",
      "ConstraintDescription": "must contain only alphanumeric characters."
    "InstanceType": {
      "Description": "WebServer EC2 instance type",
      "Type": "String",
      "Default": "t2.large",
      "AllowedValues": [
      "ConstraintDescription": "must be a valid EC2 instance type."
    "SSHLocation": {
      "Description": " The IP address range that can be used to SSH to the EC2 instances",
      "Type": "String",
      "MinLength": "9",
      "MaxLength": "18",
      "Default": "",
      "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
      "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
  "Mappings": {
    "AWSInstanceType2Arch": {
      "t2.large": {
        "Arch": "HVM64"
    "AWSInstanceType2NATArch": {
      "t2.large": {
        "Arch": "NATHVM64"
    "AWSRegionArch2AMI": {
      "eu-west-1a": {
        "PV64": "NOT_SUPPORTED",
        "HVM64": "ami-0aae836c",
        "HVMG2": "NOT_SUPPORTED"
  "Resources": {
    "WebServerInstance": {
      "Type": "AWS::EC2::Instance",
      "Metadata": {
        "AWS::CloudFormation::Init": {
          "configSets": {
            "InstallAndRun": [
          "Install": {
            "packages": {
              "yum": {
                "mysql": [],
                "mysql-server": [],
                "mysql-libs": [],
                "httpd": [],
                "php": [],
                "php-mysql": []
            "files": {
              "/var/www/html/index.php": {
                "content": {
                  "Fn::Join": [
                      "  <head>\n",
                      "    <title>AITS CloudFormation</title>\n",
                      "    <meta http-equiv=\"Content-Type\" content=\"text/html; charset=ISO-8859-1\">\n",
                      "  </head>\n",
                      "  <body>\n",
                      "    <h1>Welcome to the AITS Cloud Formation</h1>\n",
                      "    <p/>\n",
                      "    <?php\n",
                      "      // Print out the current data and time\n",
                      "      print \"The Current Date and Time is: <br/>\";\n",
                      "      print date(\"g:i A l, F j Y.\");\n",
                      "    ?>\n",
                      "    <p/>\n",
                      "    <?php\n",
                      "      // Setup a handle for CURL\n",
                      "      $curl_handle=curl_init();\n",
                      "      curl_setopt($curl_handle,CURLOPT_CONNECTTIMEOUT,2);\n",
                      "      curl_setopt($curl_handle,CURLOPT_RETURNTRANSFER,1);\n",
                      "      // Get the hostname of the intance from the instance metadata\n",
                      "      curl_setopt($curl_handle,CURLOPT_URL,'');\n",
                      "      $hostname = curl_exec($curl_handle);\n",
                      "      if (empty($hostname))\n",
                      "      {\n",
                      "        print \"Sorry, for some reason, we got no hostname back <br />\";\n",
                      "      }\n",
                      "      else\n",
                      "      {\n",
                      "        print \"Server = \" . $hostname . \"<br />\";\n",
                      "      }\n",
                      "      // Get the instance-id of the intance from the instance metadata\n",
                      "      curl_setopt($curl_handle,CURLOPT_URL,'');\n",
                      "      $instanceid = curl_exec($curl_handle);\n",
                      "      if (empty($instanceid))\n",
                      "      {\n",
                      "        print \"Sorry, for some reason, we got no instance id back <br />\";\n",
                      "      }\n",
                      "      else\n",
                      "      {\n",
                      "        print \"EC2 instance-id = \" . $instanceid . \"<br />\";\n",
                      "      }\n",
                      "      $Database   = \"localhost\";\n",
                      "      $DBUser     = \"",
                        "Ref": "DBUser"
                      "      $DBPassword = \"",
                        "Ref": "DBPassword"
                      "      print \"Database = \" . $Database . \"<br />\";\n",
                      "      $dbconnection = mysql_connect($Database, $DBUser, $DBPassword)\n",
                      "                      or die(\"Could not connect: \" . mysql_error());\n",
                      "      print (\"Connected to $Database successfully\");\n",
                      "      mysql_close($dbconnection);\n",
                      "    ?>\n",
                      "    <h2>PHP Information</h2>\n",
                      "    <p/>\n",
                      "    <?php\n",
                      "      phpinfo();\n",
                      "    ?>\n",
                      "  </body>\n",
                "mode": "000600",
                "owner": "apache",
                "group": "apache"
              "/tmp/setup.mysql": {
                "content": {
                  "Fn::Join": [
                      "CREATE DATABASE ",
                        "Ref": "DBName"
                      "GRANT ALL ON ",
                        "Ref": "DBName"
                      ".* TO '",
                        "Ref": "DBUser"
                      "'@localhost IDENTIFIED BY '",
                        "Ref": "DBPassword"
                "mode": "000400",
                "owner": "root",
                "group": "root"
              "/etc/cfn/cfn-hup.conf": {
                "content": {
                  "Fn::Join": [
                        "Ref": "AWS::StackId"
                        "Ref": "AWS::Region"
                "mode": "000400",
                "owner": "root",
                "group": "root"
              "/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
                "content": {
                  "Fn::Join": [
                      "action=/opt/aws/bin/cfn-init -v ",
                      "         --stack ",
                        "Ref": "AWS::StackName"
                      "         --resource WebServerInstance ",
                      "         --configsets InstallAndRun ",
                      "         --region ",
                        "Ref": "AWS::Region"
            "services": {
              "sysvinit": {
                "mysqld": {
                  "enabled": "true",
                  "ensureRunning": "true"
                "httpd": {
                  "enabled": "true",
                  "ensureRunning": "true"
                "cfn-hup": {
                  "enabled": "true",
                  "ensureRunning": "true",
                  "files": [
          "Configure": {
            "commands": {
              "01_set_mysql_root_password": {
                "command": {
                  "Fn::Join": [
                      "mysqladmin -u root password '",
                        "Ref": "DBRootPassword"
                "test": {
                  "Fn::Join": [
                      "$(mysql ",
                        "Ref": "DBName"
                      " -u root --password='",
                        "Ref": "DBRootPassword"
                      "' >/dev/null 2>&1 </dev/null); (( $? != 0 ))"
              "02_create_database": {
                "command": {
                  "Fn::Join": [
                      "mysql -u root --password='",
                        "Ref": "DBRootPassword"
                      "' < /tmp/setup.mysql"
                "test": {
                  "Fn::Join": [
                      "$(mysql ",
                        "Ref": "DBName"
                      " -u root --password='",
                        "Ref": "DBRootPassword"
                      "' >/dev/null 2>&1 </dev/null); (( $? != 0 ))"
        "AWS::CloudFormation::Designer": {
          "id": "882df2be-e2b7-4778-8f2f-f7fad73e484a"
      "Properties": {
        "ImageId": {
          "Fn::FindInMap": [
              "Ref": "AWS::Region"
              "Fn::FindInMap": [
                  "Ref": "InstanceType"
        "InstanceType": {
          "Ref": "InstanceType"
        "SecurityGroups": [
            "Ref": "WebServerSecurityGroup"
        "KeyName": {
          "Ref": "KeyName"
        "UserData": {
          "Fn::Base64": {
            "Fn::Join": [
                "#!/bin/bash -xe\n",
                "yum update -y aws-cfn-bootstrap\n",
                "# Install the files and packages from the metadata\n",
                "/opt/aws/bin/cfn-init -v ",
                "         --stack ",
                  "Ref": "AWS::StackName"
                "         --resource WebServerInstance ",
                "         --configsets InstallAndRun ",
                "         --region ",
                  "Ref": "AWS::Region"
                "# Signal the status from cfn-init\n",
                "/opt/aws/bin/cfn-signal -e $? ",
                "         --stack ",
                  "Ref": "AWS::StackName"
                "         --resource WebServerInstance ",
                "         --region ",
                  "Ref": "AWS::Region"
      "CreationPolicy": {
        "ResourceSignal": {
          "Timeout": "PT5M"
    "WebServerSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Enable HTTP access via port 80",
        "SecurityGroupIngress": [
            "IpProtocol": "tcp",
            "FromPort": "80",
            "ToPort": "80",
            "CidrIp": ""
            "IpProtocol": "tcp",
            "FromPort": "22",
            "ToPort": "22",
            "CidrIp": {
              "Ref": "SSHLocation"
      "Metadata": {
        "AWS::CloudFormation::Designer": {
          "id": "88a4f6dd-8489-4f6e-a3a7-ce92b350e672"
  "Outputs": {
    "WebsiteURL": {
      "Description": "URL for newly created LAMP stack",
      "Value": {
        "Fn::Join": [
              "Fn::GetAtt": [
  "Metadata": {
    "AWS::CloudFormation::Designer": {
      "88a4f6dd-8489-4f6e-a3a7-ce92b350e672": {
        "size": {
          "width": 60,
          "height": 60
        "position": {
          "x": 60,
          "y": 90
        "z": 1,
        "embeds": []
      "882df2be-e2b7-4778-8f2f-f7fad73e484a": {
        "size": {
          "width": 60,
          "height": 60
        "position": {
          "x": 180,
          "y": 90
        "z": 1,
        "embeds": [],
        "ismemberof": [


  • From your question, I believe you are looking to simply create an instance based on an AMI and ensure that instance has a security group attached to it, which you also define.

    You need to create a new template with the following components





    By linking these up using the Ref command you will be able to achieve what you require.

    I hope that helps.

    Good luck!