AWS::EC2::SecurityGroup - AWS CloudFormation
SyntaxPropertiesReturn valuesExamplesSee also

AWS::EC2::SecurityGroup

Specifies a security group. To create a security group, use the VpcId property to specify the VPC for which to create the security group.

This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

Important

If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup. Doing so creates a circular dependency, which CloudFormation doesn't allow.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
      "GroupDescription" : String,
      "GroupName" : String,
      "SecurityGroupEgress" : [ Egress, ... ],
      "SecurityGroupIngress" : [ Ingress, ... ],
      "Tags" : [ Tag, ... ],
      "VpcId" : String
    }
}

YAML

Type: AWS::EC2::SecurityGroup
Properties: 
  GroupDescription: String
  GroupName: String
  SecurityGroupEgress: 
    - Egress
  SecurityGroupIngress: 
    - Ingress
  Tags: 
    - Tag
  VpcId: String

Properties

GroupDescription

A description for the security group. This is informational only.

Constraints: Up to 255 characters in length

Constraints for EC2-Classic: ASCII characters

Constraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

Required: Yes

Type: String

Update requires: Replacement

GroupName

The name of the security group.

Constraints: Up to 255 characters in length. Cannot start with sg-.

Constraints for EC2-Classic: ASCII characters

Constraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

Required: No

Type: String

Update requires: Replacement

SecurityGroupEgress

[VPC only] The outbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.

Required: No

Type: List of Egress

Update requires: No interruption

SecurityGroupIngress

The inbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.

Required: No

Type: List of Ingress

Update requires: No interruption

Tags

Any tags assigned to the security group.

Required: No

Type: List of Tag

Update requires: No interruption

VpcId

[VPC only] The ID of the VPC for the security group.

Required: No

Type: String

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource ID. For security groups that were created without specifying a VPC (EC2-Classic or a default VPC), Ref returns the resource name.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

GroupId

The group ID of the specified security group, such as sg-94b3a1f6.

VpcId

The physical ID of the VPC. You can obtain the physical ID by using a reference to an AWS::EC2::VPC, such as: { "Ref" : "myVPC" }.

Examples

Define Basic Ingress and Egress Rules

The following example specifies a security group with an ingress and egress rule.

JSON

"InstanceSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Allow http to client host",
      "VpcId" : {"Ref" : "myVPC"},
      "SecurityGroupIngress" : [{
         "IpProtocol" : "tcp",
         "FromPort" : 80,
         "ToPort" : 80,
         "CidrIp" : "0.0.0.0/0"
      }],
      "SecurityGroupEgress" : [{
         "IpProtocol" : "tcp",
         "FromPort" : 80,
         "ToPort" : 80,
         "CidrIp" : "0.0.0.0/0"
      }]
   }
}

YAML

InstanceSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
      GroupDescription: Allow http to client host
      VpcId:
         Ref: myVPC
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0

Remove Default Rule

When you specify a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location. The default rule is removed only when you specify one or more egress rules. If you want to remove the default rule and limit egress traffic to just the localhost (127.0.0.1/32), use the following example.

JSON

"sgwithoutegress": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Limits security group egress traffic",
    "SecurityGroupEgress": [
      {
        "CidrIp": "127.0.0.1/32",
        "IpProtocol": "-1"
      }
    ],
    "VpcId": { "Ref": "myVPC"}
   }
}

YAML

sgwithoutegress:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Limits security group egress traffic
    SecurityGroupEgress:
    - CidrIp: 127.0.0.1/32
      IpProtocol: "-1"
    VpcId:
      Ref: myVPC

See also