AWS CloudFormation
User Guide (API Version 2010-05-15)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

AWS::EC2::SecurityGroup

Creates an Amazon EC2 security group. To create a VPC security group, use the VpcId property.

This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

Important

If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup. If you do, it causes a circular dependency, which AWS CloudFormation doesn't allow.

Syntax

{
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
     "GroupDescription" : String,
     "SecurityGroupEgress" : [ Security Group Rule, ... ],
     "SecurityGroupIngress" : [ Security Group Rule, ... ],
     "Tags" :  [ Resource Tag, ... ],
     "VpcId" : String
  }
}

Properties

GroupDescription

Description of the security group.

Required: Yes

Type: String

Update requires: Replacement

SecurityGroupEgress

A list of Amazon EC2 security group egress rules.

Required: No

Type: EC2 Security Group Rule

Update requires: No interruption

SecurityGroupIngress

A list of Amazon EC2 security group ingress rules.

Required: No

Type: EC2 Security Group Rule

Update requires: No interruption

Tags

The tags that you want to attach to the resource.

Required: No

Type: AWS CloudFormation Resource Tags.

Update requires: No interruption.

VpcId

The physical ID of the VPC. Can be obtained by using a reference to an AWS::EC2::VPC, such as: { "Ref" : "myVPC" }.

For more information about using the Ref function, see Ref.

Required: Yes, for VPC security groups

Type: String

Update requires: Replacement

Note

For more information about VPC security groups, go to Security Groups in the Amazon VPC User Guide.

Return Values

Ref

When you specify an AWS::EC2::SecurityGroup type as an argument to the Ref function, AWS CloudFormation returns the security group name (for EC2-classic) or the security group ID (for EC2-VPC).

For more information about using the Ref function, see Ref.

Fn::GetAtt

Fn::GetAtt returns a value for a specified attribute of this type. This section lists the available attributes and corresponding return values.

GroupId

The group ID of the specified security group, such as sg-94b3a1f6.

For more information about using Fn:GetAtt, see Fn::GetAtt.

Examples

The following sample defines a security group with an ingress and egress rule:

"InstanceSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Allow http to client host",
      "VpcId" : {"Ref" : "myVPC"},
      "SecurityGroupIngress" : [{
            "IpProtocol" : "tcp",
            "FromPort" : "80",
            "ToPort" : "80",
            "CidrIp" : "0.0.0.0/0"
         }],
      "SecurityGroupEgress" : [{
         "IpProtocol" : "tcp",
         "FromPort" : "80",
         "ToPort" : "80",
         "CidrIp" : "0.0.0.0/0"
      }]
   }
}     

When you create a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location. The default rule is removed only when you specify one or more egress rules. If you want to remove the default rule and limit egress traffic to just the localhost (127.0.0.1/32), you can use the following sample:

"sgwithoutegress": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Limits security group egress traffic",
    "SecurityGroupEgress": [
      {
        "CidrIp": "127.0.0.1/32",
        "IpProtocol": "-1"
      }
    ],
    "VpcId": { "Ref": "myVPC"}
  }
}

See Also