EC2 Security Group Rule Property Type
The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup type.
Syntax SecurityGroupIngress
JSON
{ "CidrIp" :String, "CidrIpv6" :String, "Description" :String, "FromPort" :Integer, "IpProtocol" :String, "SourceSecurityGroupId" :String, "SourceSecurityGroupName" :String, "SourceSecurityGroupOwnerId" :String, "ToPort" :Integer}
YAML
CidrIp:StringCidrIpv6:StringDescription:StringFromPort:IntegerIpProtocol:StringSourceSecurityGroupId:StringSourceSecurityGroupName:StringSourceSecurityGroupOwnerId:StringToPort:Integer
Syntax SecurityGroupEgress
JSON
{ "CidrIp" :String, "CidrIpv6" :String, "Description" :String, "DestinationPrefixListId" :String, "DestinationSecurityGroupId" :String, "FromPort" :Integer, "IpProtocol" :String, "ToPort" :Integer}
YAML
CidrIp:StringCidrIpv6:StringDescription:StringDestinationPrefixListId:StringDestinationSecurityGroupId:StringFromPort:IntegerIpProtocol:StringToPort:Integer
Properties
CidrIp-
Specifies an IPv4 CIDR range.
Required: Conditional. You must specify only one of the following properties:
CidrIp,CidrIpv6,DestinationPrefixListId,DestinationSecurityGroupId, orSourceSecurityGroupId.Type: String
CidrIpv6-
Specifies an IPv6 CIDR range.
Required: Conditional. You must specify only one of the following properties:
CidrIp,CidrIpv6,DestinationPrefixListId,DestinationSecurityGroupId, orSourceSecurityGroupId.Type: String
Description-
Description of the security group rule.
Type: String
DestinationPrefixListId(SecurityGroupEgress only)-
The AWS service prefix of an Amazon VPC endpoint. For more information, see VPC Endpoints in the Amazon VPC User Guide.
Required: Conditional. You must specify only one of the following properties:
CidrIp,CidrIpv6,DestinationPrefixListId,DestinationSecurityGroupId, orSourceSecurityGroupId.Type: String
DestinationSecurityGroupId(SecurityGroupEgress only)-
Specifies the GroupId of the destination Amazon VPC security group.
Required: Conditional. You must specify only one of the following properties:
CidrIp,CidrIpv6,DestinationPrefixListId,DestinationSecurityGroupId, orSourceSecurityGroupId.Type: String
FromPort-
The start of port range for the TCP and UDP protocols, or an ICMP type number. An ICMP type number of -1 indicates a wildcard (i.e., any ICMP type number).
Required: No
Type: Integer
IpProtocol-
An IP protocol name or number. For valid values, go to the IpProtocol parameter in AuthorizeSecurityGroupIngress
Required: Yes
Type: String
SourceSecurityGroupId(SecurityGroupIngress only)-
For VPC security groups only. Specifies the ID of the Amazon EC2 Security Group to allow access. You can use the
Refintrinsic function to refer to the logical ID of a security group defined in the same template.Required: Conditional. You must specify only one of the following properties:
CidrIp,CidrIpv6,DestinationPrefixListId,DestinationSecurityGroupId, orSourceSecurityGroupId.Type: String
SourceSecurityGroupName(SecurityGroupIngress only)-
For non-VPC security groups only. Specifies the name of the Amazon EC2 Security Group to use for access. You can use the
Refintrinsic function to refer to the logical name of a security group that is defined in the same template.Required: Conditional. If you specify
CidrIp, do not specifySourceSecurityGroupName.Type: String
SourceSecurityGroupOwnerId(SecurityGroupIngress only)-
Specifies the AWS Account ID of the owner of the Amazon EC2 Security Group that is specified in the
SourceSecurityGroupNameproperty.Required: Conditional. If you specify
SourceSecurityGroupNameand that security group is owned by a different account than the account creating the stack, you must specify theSourceSecurityGroupOwnerId; otherwise, this property is optional.Type: String
ToPort-
The end of port range for the TCP and UDP protocols, or an ICMP code. An ICMP code of -1 indicates a wildcard (i.e., any ICMP code).
Required: No
Type: Integer
Examples
Security Group with CidrIp
JSON
"InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Enable SSH access via port 22", "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0" } ] } }
YAML
InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Enable SSH access via port 22" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "0.0.0.0/0"
Security Group with Security Group Id
JSON
"InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Enable HTTP access on the configured port", "VpcId" : { "Ref" : "VpcId" }, "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : { "Ref" : "WebServerPort" }, "ToPort" : { "Ref" : "WebServerPort" }, "SourceSecurityGroupId" : { "Ref" : "LoadBalancerSecurityGroup" } } ] } }
YAML
InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Enable HTTP access on the configured port" VpcId: Ref: "VpcId" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: Ref: "WebServerPort" ToPort: Ref: "WebServerPort" SourceSecurityGroupId: Ref: "LoadBalancerSecurityGroup"
Security Group with Multiple Ingress Rules
This snippet grants SSH access with CidrIp, and HTTP access with
SourceSecurityGroupName. Fn::GetAtt is used
to derive the values for SourceSecurityGroupName and
SourceSecurityGroupOwnerId from the elastic load
balancer.
JSON
"ElasticLoadBalancer" : { "Type" : "AWS::ElasticLoadBalancing::LoadBalancer", "Properties" : { "AvailabilityZones" : { "Fn::GetAZs" : "" }, "Listeners" : [ { "LoadBalancerPort" : "80", "InstancePort" : { "Ref" : "WebServerPort" }, "Protocol" : "HTTP" } ], "HealthCheck" : { "Target" : { "Fn::Join" : [ "", ["HTTP:", { "Ref" : "WebServerPort" }, "/"]]}, "HealthyThreshold" : "3", "UnhealthyThreshold" : "5", "Interval" : "30", "Timeout" : "5" } } }, "InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Enable SSH access and HTTP from the load balancer only", "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0" }, { "IpProtocol" : "tcp", "FromPort" : { "Ref" : "WebServerPort" }, "ToPort" : { "Ref" : "WebServerPort" }, "SourceSecurityGroupOwnerId" : {"Fn::GetAtt" : ["ElasticLoadBalancer", "SourceSecurityGroup.OwnerAlias"]}, "SourceSecurityGroupName" : {"Fn::GetAtt" : ["ElasticLoadBalancer", "SourceSecurityGroup.GroupName"]} } ] } }
YAML
ElasticLoadBalancer: Type: "AWS::ElasticLoadBalancing::LoadBalancer" Properties: AvailabilityZones: Fn::GetAZs: "" Listeners: - LoadBalancerPort: "80" InstancePort: Ref: "WebServerPort" Protocol: "HTTP" HealthCheck: Target: Fn::Join: - "" - - "HTTP:" - Ref: "WebServerPort" - "/" HealthyThreshold: "3" UnhealthyThreshold: "5" Interval: "30" Timeout: "5" InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Enable SSH access and HTTP from the load balancer only" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "0.0.0.0/0" - IpProtocol: "tcp" FromPort: Ref: "WebServerPort" ToPort: Ref: "WebServerPort" SourceSecurityGroupOwnerId: Fn::GetAtt: - "ElasticLoadBalancer" - "SourceSecurityGroup.OwnerAlias" SourceSecurityGroupName: Fn::GetAtt: - "ElasticLoadBalancer" - "SourceSecurityGroup.GroupName"
See Also
-
Amazon EC2 Security Groups in the Amazon EC2 User Guide
