AWS::EC2::SecurityGroup
Specifies a security group. To create a security group, use the VpcId property to specify the VPC for which to create the security group.
If you do not specify an egress rule, we add egress rules that allow IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules.
This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.
Important
To cross-reference two security groups in the ingress and egress rules of those
security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use
the embedded ingress and egress rules in the AWS::EC2::SecurityGroup
. Doing
so creates a circular dependency, which AWS CloudFormation doesn't allow.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" :
String
, "GroupName" :String
, "SecurityGroupEgress" :[ Egress, ... ]
, "SecurityGroupIngress" :[ Ingress, ... ]
, "Tags" :[ Tag, ... ]
, "VpcId" :String
} }
YAML
Type: AWS::EC2::SecurityGroup Properties: GroupDescription:
String
GroupName:String
SecurityGroupEgress:- Egress
SecurityGroupIngress:- Ingress
Tags:- Tag
VpcId:String
Properties
GroupDescription
-
A description for the security group.
Constraints: Up to 255 characters in length
Valid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
Required: Yes
Type: String
Update requires: Replacement
GroupName
-
The name of the security group.
Constraints: Up to 255 characters in length. Cannot start with
sg-
.Valid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
Required: No
Type: String
Update requires: Replacement
SecurityGroupEgress
-
The outbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.
Required: No
Type: Array of Egress
Update requires: Some interruptions
SecurityGroupIngress
-
The inbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.
Required: No
Type: Array of Ingress
Update requires: Some interruptions
-
Any tags assigned to the security group.
Required: No
Type: Array of Tag
Update requires: No interruption
VpcId
-
The ID of the VPC for the security group. If you do not specify a VPC, the default is to use the default VPC for the Region. If there's no specified VPC and no default VPC, security group creation fails.
Required: Conditional
Type: String
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the ID of the security group if you specified the VpcId
property.
Otherwise, it returns the name of the security group. If you omit the VpcId
property
and need the ID of the VPC, use Fn::GetAtt
instead.
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt
.
GroupId
-
The ID of the security group, such as
sg-94b3a1f6
. VpcId
-
The ID of the VPC, such as
vpc-0669f8f9
.
Examples
Define basic ingress and egress rules
The following example specifies a security group with an ingress and egress rule.
JSON
"InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Allow http to client host", "VpcId" : {"Ref" : "myVPC"}, "SecurityGroupIngress" : [{ "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0" }], "SecurityGroupEgress" : [{ "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0" }] } }
YAML
InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: !Ref myVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0
Remove the default rule
When you specify a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location. The default rule is removed only when you specify one or more egress rules. If you want to remove the default rule and limit egress traffic to just the localhost (127.0.0.1/32), use the following example.
JSON
"sgwithoutegress": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Limits security group egress traffic", "SecurityGroupEgress": [{ "CidrIp": "127.0.0.1/32", "IpProtocol": "-1" }], "VpcId": { "Ref": "myVPC"} } }
YAML
sgwithoutegress: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Limits security group egress traffic SecurityGroupEgress: - CidrIp: 127.0.0.1/32 IpProtocol: "-1" VpcId: !Ref myVPC
Allow ping requests
To allow ping requests, add the ICMP protocol type and specify 8 (echo request) for the ICMP type and either 0 or -1 (all) for the ICMP code.
JSON
"SGPing" : { "Type" : "AWS::EC2::SecurityGroup", "DependsOn": "VPC", "Properties" : { "GroupDescription" : "SG to test ping", "VpcId" : {"Ref" : "VPC"}, "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "10.0.0.0/24" }, { "IpProtocol" : "icmp", "FromPort" : 8, "ToPort" : -1, "CidrIp" : "10.0.0.0/24" }] } }
YAML
SGPing: Type: AWS::EC2::SecurityGroup DependsOn: VPC Properties: GroupDescription: SG to test ping VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 10.0.0.0/24 - IpProtocol: icmp FromPort: 8 ToPort: -1 CidrIp: 10.0.0.0/24
See also
-
Security groups for your VPC in the Amazon VPC User Guide
-
Amazon EC2 security groups in the Amazon EC2 User Guide