Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

EC2 Security Group Rule Property Type

The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup type.

Syntax SecurityGroupIngress

JSON

{
  "CidrIp" : String,
  "FromPort" : Integer,
  "IpProtocol" : String,
  "SourceSecurityGroupId" : String,
  "SourceSecurityGroupName" : String,
  "SourceSecurityGroupOwnerId" : String,
  "ToPort" : Integer
}

YAML

CidrIp: String
FromPort: Integer
IpProtocol: String
SourceSecurityGroupId: String
SourceSecurityGroupName: String
SourceSecurityGroupOwnerId: String
ToPort: Integer

Syntax SecurityGroupEgress

JSON

{
  "CidrIp" : String,
  "DestinationPrefixListId (SecurityGroupEgress only)" : String,
  "FromPort" : Integer,
  "IpProtocol" : String,
  "DestinationSecurityGroupId" : String,
  "ToPort" : Integer
}

Properties

CidrIp

Specifies a CIDR range.

Required: Conditional. You must specify only one of the following properties: CidrIp, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

DestinationPrefixListId (SecurityGroupEgress only)

The AWS service prefix of an Amazon VPC endpoint. For more information, see VPC Endpoints in the Amazon VPC User Guide.

Required: Conditional. You must specify only one of the following properties: CidrIp, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

DestinationSecurityGroupId (SecurityGroupEgress only)

Specifies the GroupId of the destination Amazon VPC security group.

Required: Conditional. You must specify only one of the following properties: CidrIp, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

FromPort

The start of port range for the TCP and UDP protocols, or an ICMP type number. An ICMP type number of -1 indicates a wildcard (i.e., any ICMP type number).

Required: No

Type: Integer

IpProtocol

An IP protocol name or number. For valid values, go to the IpProtocol parameter in AuthorizeSecurityGroupIngress

Required: Yes

Type: String

SourceSecurityGroupId (SecurityGroupIngress only)

For VPC security groups only. Specifies the ID of the Amazon EC2 Security Group to allow access. You can use the Ref intrinsic function to refer to the logical ID of a security group defined in the same template.

Required: Conditional. You must specify only one of the following properties: CidrIp, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

SourceSecurityGroupName (SecurityGroupIngress only)

For non-VPC security groups only. Specifies the name of the Amazon EC2 Security Group to use for access. You can use the Ref intrinsic function to refer to the logical name of a security group that is defined in the same template.

Required: Conditional. If you specify CidrIp, do not specify SourceSecurityGroupName.

Type: String

SourceSecurityGroupOwnerId (SecurityGroupIngress only)

Specifies the AWS Account ID of the owner of the Amazon EC2 Security Group that is specified in the SourceSecurityGroupName property.

Required: Conditional. If you specify SourceSecurityGroupName and that security group is owned by a different account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional.

Type: String

ToPort

The end of port range for the TCP and UDP protocols, or an ICMP code. An ICMP code of -1 indicates a wildcard (i.e., any ICMP code).

Required: No

Type: Integer

Examples

Security Group with CidrIp

JSON

"InstanceSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Enable SSH access via port 22",
      "SecurityGroupIngress" : [ {
         "IpProtocol" : "tcp",
         "FromPort" : "22",
         "ToPort" : "22",
         "CidrIp" : "0.0.0.0/0"
      } ]
   }
}

YAML

InstanceSecurityGroup: 
  Type: "AWS::EC2::SecurityGroup"
  Properties: 
    GroupDescription: "Enable SSH access via port 22"
    SecurityGroupIngress: 
      - 
        IpProtocol: "tcp"
        FromPort: "22"
        ToPort: "22"
        CidrIp: "0.0.0.0/0"

Security Group with Security Group Id

JSON

"InstanceSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Enable HTTP access on the configured port",
      "VpcId" : { "Ref" : "VpcId" },
      "SecurityGroupIngress" : [ {
         "IpProtocol" : "tcp",
         "FromPort" : { "Ref" : "WebServerPort" },
         "ToPort" : { "Ref" : "WebServerPort" },
         "SourceSecurityGroupId" : { "Ref" : "LoadBalancerSecurityGroup" }
      } ]
   }
}

YAML

InstanceSecurityGroup: 
  Type: "AWS::EC2::SecurityGroup"
  Properties: 
    GroupDescription: "Enable HTTP access on the configured port"
    VpcId: 
      Ref: "VpcId"
    SecurityGroupIngress: 
      - 
        IpProtocol: "tcp"
        FromPort: 
          Ref: "WebServerPort"
        ToPort: 
          Ref: "WebServerPort"
        SourceSecurityGroupId: 
          Ref: "LoadBalancerSecurityGroup"

Security Group with Multiple Ingress Rules

This snippet grants SSH access with CidrIp, and HTTP access with SourceSecurityGroupName. Fn::GetAtt is used to derive the values for SourceSecurityGroupName and SourceSecurityGroupOwnerId from the elastic load balancer.

JSON

"ElasticLoadBalancer" : {
   "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
   "Properties" : {
      "AvailabilityZones" : { "Fn::GetAZs" : "" },
      "Listeners" : [ {
         "LoadBalancerPort" : "80",
         "InstancePort" : { "Ref" : "WebServerPort" },
         "Protocol" : "HTTP"
      } ],
      "HealthCheck" : {
         "Target" : { "Fn::Join" : [ "", ["HTTP:", { "Ref" : "WebServerPort" }, "/"]]},
         "HealthyThreshold" : "3",
         "UnhealthyThreshold" : "5",
         "Interval" : "30",
         "Timeout" : "5"
      }
   }
},

"InstanceSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Enable SSH access and HTTP from the load balancer only",
      "SecurityGroupIngress" : [ {
         "IpProtocol" : "tcp",
         "FromPort" : "22",
         "ToPort" : "22",
         "CidrIp" : "0.0.0.0/0"
      }, {
         "IpProtocol" : "tcp",
         "FromPort" : { "Ref" : "WebServerPort" },
         "ToPort" : { "Ref" : "WebServerPort" },
         "SourceSecurityGroupOwnerId" : {"Fn::GetAtt" : ["ElasticLoadBalancer", "SourceSecurityGroup.OwnerAlias"]},
         "SourceSecurityGroupName" : {"Fn::GetAtt" : ["ElasticLoadBalancer", "SourceSecurityGroup.GroupName"]}
      } ]
   }
}

YAML

ElasticLoadBalancer: 
  Type: "AWS::ElasticLoadBalancing::LoadBalancer"
  Properties: 
    AvailabilityZones: 
      Fn::GetAZs: ""
    Listeners: 
      - 
        LoadBalancerPort: "80"
        InstancePort: 
          Ref: "WebServerPort"
        Protocol: "HTTP"
    HealthCheck: 
      Target: 
        Fn::Join: 
          - ""
          - 
            - "HTTP:"
            - 
              Ref: "WebServerPort"
            - "/"
      HealthyThreshold: "3"
      UnhealthyThreshold: "5"
      Interval: "30"
      Timeout: "5"
InstanceSecurityGroup: 
  Type: "AWS::EC2::SecurityGroup"
  Properties: 
    GroupDescription: "Enable SSH access and HTTP from the load balancer only"
    SecurityGroupIngress: 
      - 
        IpProtocol: "tcp"
        FromPort: "22"
        ToPort: "22"
        CidrIp: "0.0.0.0/0"
      - 
        IpProtocol: "tcp"
        FromPort: 
          Ref: "WebServerPort"
        ToPort: 
          Ref: "WebServerPort"
        SourceSecurityGroupOwnerId: 
          Fn::GetAtt: 
            - "ElasticLoadBalancer"
            - "SourceSecurityGroup.OwnerAlias"
        SourceSecurityGroupName: 
          Fn::GetAtt: 
            - "ElasticLoadBalancer"
            - "SourceSecurityGroup.GroupName"

See Also