AWS CloudFormation
User Guide (Version )

AWS::EC2::SecurityGroup Ingress

Specifies an inbound rule for a security group. An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or from the instances associated with the specified security group.

You must specify only one of the following properties: CidrIp, CidrIpv6, SourcePrefixListId, SourceSecurityGroupId, or SourceSecurityGroupName.

The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup type.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "CidrIp" : String, "CidrIpv6" : String, "Description" : String, "FromPort" : Integer, "IpProtocol" : String, "SourcePrefixListId" : String, "SourceSecurityGroupId" : String, "SourceSecurityGroupName" : String, "SourceSecurityGroupOwnerId" : String, "ToPort" : Integer }

YAML

CidrIp: String CidrIpv6: String Description: String FromPort: Integer IpProtocol: String SourcePrefixListId: String SourceSecurityGroupId: String SourceSecurityGroupName: String SourceSecurityGroupOwnerId: String ToPort: Integer

Properties

CidrIp

The IPv4 address range, in CIDR format.

Required: No

Type: String

Update requires: No interruption

CidrIpv6

The IPv6 address range, in CIDR format.

Required: No

Type: String

Update requires: No interruption

Description

A description for the security group rule.

Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

Required: No

Type: String

Update requires: No interruption

FromPort

The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Required: No

Type: Integer

Update requires: No interruption

IpProtocol

The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).

[VPC only] Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

Required: Yes

Type: String

Update requires: No interruption

SourcePrefixListId

[EC2-VPC only] The prefix list IDs for an AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.

Required: No

Type: String

Update requires: No interruption

SourceSecurityGroupId

The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.

Required: No

Type: String

Update requires: No interruption

SourceSecurityGroupName

[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead. For EC2-VPC, the source security group must be in the same VPC.

Required: No

Type: String

Update requires: No interruption

SourceSecurityGroupOwnerId

[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access.

If you specify SourceSecurityGroupName or SourceSecurityGroupId and that security group is owned by a different account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional.

Required: Conditional

Type: String

Update requires: No interruption

ToPort

The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Required: No

Type: Integer

Update requires: No interruption

On this page: