@Generated(value="jsii-pacmak/1.74.0 (build 6d08790)", date="2023-03-14T16:25:28.743Z") public class SecurityGroup extends Resource implements ISecurityGroup
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule
and
addEgressRule
is possible, but mutation through the .connections
object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
ISecurityGroup securityGroup = SecurityGroup.fromSecurityGroupId(this, "SG", "sg-12345", SecurityGroupImportOptions.builder() .mutable(false) .build());
Example:
Vpc vpc; LaunchTemplate template = LaunchTemplate.Builder.create(this, "LaunchTemplate") .machineImage(MachineImage.latestAmazonLinux()) .securityGroup(SecurityGroup.Builder.create(this, "LaunchTemplateSG") .vpc(vpc) .build()) .build();
Modifier and Type | Class and Description |
---|---|
static class |
SecurityGroup.Builder
A fluent builder for
SecurityGroup . |
ISecurityGroup.Jsii$Default, ISecurityGroup.Jsii$Proxy
Modifier | Constructor and Description |
---|---|
protected |
SecurityGroup(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) |
protected |
SecurityGroup(software.amazon.jsii.JsiiObjectRef objRef) |
|
SecurityGroup(software.constructs.Construct scope,
java.lang.String id,
SecurityGroupProps props) |
Modifier and Type | Method and Description |
---|---|
void |
addEgressRule(IPeer peer,
Port connection)
Add an egress rule for the current security group.
|
void |
addEgressRule(IPeer peer,
Port connection,
java.lang.String description)
Add an egress rule for the current security group.
|
void |
addEgressRule(IPeer peer,
Port connection,
java.lang.String description,
java.lang.Boolean remoteRule)
Add an egress rule for the current security group.
|
void |
addIngressRule(IPeer peer,
Port connection)
Add an ingress rule for the current security group.
|
void |
addIngressRule(IPeer peer,
Port connection,
java.lang.String description)
Add an ingress rule for the current security group.
|
void |
addIngressRule(IPeer peer,
Port connection,
java.lang.String description,
java.lang.Boolean remoteRule)
Add an ingress rule for the current security group.
|
protected com.fasterxml.jackson.databind.node.ObjectNode |
determineRuleScope(IPeer peer,
Port connection,
java.lang.String fromTo)
Determine where to parent a new ingress/egress rule.
|
protected com.fasterxml.jackson.databind.node.ObjectNode |
determineRuleScope(IPeer peer,
Port connection,
java.lang.String fromTo,
java.lang.Boolean remoteRule)
Determine where to parent a new ingress/egress rule.
|
static ISecurityGroup |
fromLookup(software.constructs.Construct scope,
java.lang.String id,
java.lang.String securityGroupId)
Deprecated.
Use `fromLookupById()` instead
|
static ISecurityGroup |
fromLookupById(software.constructs.Construct scope,
java.lang.String id,
java.lang.String securityGroupId)
Look up a security group by id.
|
static ISecurityGroup |
fromLookupByName(software.constructs.Construct scope,
java.lang.String id,
java.lang.String securityGroupName,
IVpc vpc)
Look up a security group by name.
|
static ISecurityGroup |
fromSecurityGroupId(software.constructs.Construct scope,
java.lang.String id,
java.lang.String securityGroupId)
Import an existing security group into this app.
|
static ISecurityGroup |
fromSecurityGroupId(software.constructs.Construct scope,
java.lang.String id,
java.lang.String securityGroupId,
SecurityGroupImportOptions options)
Import an existing security group into this app.
|
java.lang.Boolean |
getAllowAllOutbound()
Whether the SecurityGroup has been configured to allow all outbound traffic.
|
java.lang.Boolean |
getCanInlineRule()
Whether the rule can be inlined into a SecurityGroup or not.
|
Connections |
getConnections()
The network connections associated with this resource.
|
Port |
getDefaultPort() |
java.lang.String |
getSecurityGroupId()
The ID of the security group.
|
java.lang.String |
getSecurityGroupName()
Deprecated.
returns the security group ID, rather than the name.
|
java.lang.String |
getSecurityGroupVpcId()
The VPC ID this security group is part of.
|
java.lang.String |
getUniqueId()
A unique identifier for this connection peer.
|
static java.lang.Boolean |
isSecurityGroup(java.lang.Object x)
Return whether the indicated object is a security group.
|
java.lang.Object |
toEgressRuleConfig()
Produce the egress rule JSON for the given connection.
|
java.lang.Object |
toIngressRuleConfig()
Produce the ingress rule JSON for the given connection.
|
applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isResource
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize, validate
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
applyRemovalPolicy, getEnv, getStack
getNode
protected SecurityGroup(software.amazon.jsii.JsiiObjectRef objRef)
protected SecurityGroup(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
public SecurityGroup(software.constructs.Construct scope, java.lang.String id, SecurityGroupProps props)
scope
- This parameter is required.id
- This parameter is required.props
- This parameter is required.@Deprecated public static ISecurityGroup fromLookup(software.constructs.Construct scope, java.lang.String id, java.lang.String securityGroupId)
scope
- This parameter is required.id
- This parameter is required.securityGroupId
- This parameter is required.public static ISecurityGroup fromLookupById(software.constructs.Construct scope, java.lang.String id, java.lang.String securityGroupId)
scope
- This parameter is required.id
- This parameter is required.securityGroupId
- This parameter is required.public static ISecurityGroup fromLookupByName(software.constructs.Construct scope, java.lang.String id, java.lang.String securityGroupName, IVpc vpc)
scope
- This parameter is required.id
- This parameter is required.securityGroupName
- This parameter is required.vpc
- This parameter is required.public static ISecurityGroup fromSecurityGroupId(software.constructs.Construct scope, java.lang.String id, java.lang.String securityGroupId, SecurityGroupImportOptions options)
This method will assume that the Security Group has a rule in it which allows all outbound traffic, and so will not add egress rules to the imported Security Group (only ingress rules).
If your existing Security Group needs to have egress rules added, pass the
allowAllOutbound: false
option on import.
scope
- This parameter is required.id
- This parameter is required.securityGroupId
- This parameter is required.options
- public static ISecurityGroup fromSecurityGroupId(software.constructs.Construct scope, java.lang.String id, java.lang.String securityGroupId)
This method will assume that the Security Group has a rule in it which allows all outbound traffic, and so will not add egress rules to the imported Security Group (only ingress rules).
If your existing Security Group needs to have egress rules added, pass the
allowAllOutbound: false
option on import.
scope
- This parameter is required.id
- This parameter is required.securityGroupId
- This parameter is required.public static java.lang.Boolean isSecurityGroup(java.lang.Object x)
x
- This parameter is required.public void addEgressRule(IPeer peer, Port connection, java.lang.String description, java.lang.Boolean remoteRule)
remoteRule
controls where the Rule object is created if the peer is also a
securityGroup and they are in different stack. If false (default) the
rule object is created under the current SecurityGroup object. If true and the
peer is also a SecurityGroup, the rule object is created under the remote
SecurityGroup object.
addEgressRule
in interface ISecurityGroup
peer
- This parameter is required.connection
- This parameter is required.description
- remoteRule
- public void addEgressRule(IPeer peer, Port connection, java.lang.String description)
remoteRule
controls where the Rule object is created if the peer is also a
securityGroup and they are in different stack. If false (default) the
rule object is created under the current SecurityGroup object. If true and the
peer is also a SecurityGroup, the rule object is created under the remote
SecurityGroup object.
addEgressRule
in interface ISecurityGroup
peer
- This parameter is required.connection
- This parameter is required.description
- public void addEgressRule(IPeer peer, Port connection)
remoteRule
controls where the Rule object is created if the peer is also a
securityGroup and they are in different stack. If false (default) the
rule object is created under the current SecurityGroup object. If true and the
peer is also a SecurityGroup, the rule object is created under the remote
SecurityGroup object.
addEgressRule
in interface ISecurityGroup
peer
- This parameter is required.connection
- This parameter is required.public void addIngressRule(IPeer peer, Port connection, java.lang.String description, java.lang.Boolean remoteRule)
remoteRule
controls where the Rule object is created if the peer is also a
securityGroup and they are in different stack. If false (default) the
rule object is created under the current SecurityGroup object. If true and the
peer is also a SecurityGroup, the rule object is created under the remote
SecurityGroup object.
addIngressRule
in interface ISecurityGroup
peer
- This parameter is required.connection
- This parameter is required.description
- remoteRule
- public void addIngressRule(IPeer peer, Port connection, java.lang.String description)
remoteRule
controls where the Rule object is created if the peer is also a
securityGroup and they are in different stack. If false (default) the
rule object is created under the current SecurityGroup object. If true and the
peer is also a SecurityGroup, the rule object is created under the remote
SecurityGroup object.
addIngressRule
in interface ISecurityGroup
peer
- This parameter is required.connection
- This parameter is required.description
- public void addIngressRule(IPeer peer, Port connection)
remoteRule
controls where the Rule object is created if the peer is also a
securityGroup and they are in different stack. If false (default) the
rule object is created under the current SecurityGroup object. If true and the
peer is also a SecurityGroup, the rule object is created under the remote
SecurityGroup object.
addIngressRule
in interface ISecurityGroup
peer
- This parameter is required.connection
- This parameter is required.protected com.fasterxml.jackson.databind.node.ObjectNode determineRuleScope(IPeer peer, Port connection, java.lang.String fromTo, java.lang.Boolean remoteRule)
A SecurityGroup rule is parented under the group it's related to, UNLESS we're in a cross-stack scenario with another Security Group. In that case, we respect the 'remoteRule' flag and will parent under the other security group.
This is necessary to avoid cyclic dependencies between stacks, since both ingress and egress rules will reference both security groups, and a naive parenting will lead to the following situation:
╔════════════════════╗ ╔════════════════════╗ ║ ┌───────────┐ ║ ║ ┌───────────┐ ║ ║ │ GroupA │◀────╬─┐ ┌───╬───▶│ GroupB │ ║ ║ └───────────┘ ║ │ │ ║ └───────────┘ ║ ║ ▲ ║ │ │ ║ ▲ ║ ║ │ ║ │ │ ║ │ ║ ║ │ ║ │ │ ║ │ ║ ║ ┌───────────┐ ║ └───┼───╬────┌───────────┐ ║ ║ │ EgressA │─────╬─────┘ ║ │ IngressB │ ║ ║ └───────────┘ ║ ║ └───────────┘ ║ ║ ║ ║ ║ ╚════════════════════╝ ╚════════════════════╝
By having the ability to switch the parent, we avoid the cyclic reference by keeping all rules in a single stack.
If this happens, we also have to change the construct ID, because otherwise we might have two objects with the same ID if we have multiple reversed security group relationships.
╔═══════════════════════════════════╗ ║┌───────────┐ ║ ║│ GroupB │ ║ ║└───────────┘ ║ ║ ▲ ║ ║ │ ┌───────────┐ ║ ║ ├────"from A"──│ IngressB │ ║ ║ │ └───────────┘ ║ ║ │ ┌───────────┐ ║ ║ ├─────"to B"───│ EgressA │ ║ ║ │ └───────────┘ ║ ║ │ ┌───────────┐ ║ ║ └─────"to B"───│ EgressC │ ║ <-- oops ║ └───────────┘ ║ ╚═══════════════════════════════════╝
peer
- This parameter is required.connection
- This parameter is required.fromTo
- This parameter is required.remoteRule
- protected com.fasterxml.jackson.databind.node.ObjectNode determineRuleScope(IPeer peer, Port connection, java.lang.String fromTo)
A SecurityGroup rule is parented under the group it's related to, UNLESS we're in a cross-stack scenario with another Security Group. In that case, we respect the 'remoteRule' flag and will parent under the other security group.
This is necessary to avoid cyclic dependencies between stacks, since both ingress and egress rules will reference both security groups, and a naive parenting will lead to the following situation:
╔════════════════════╗ ╔════════════════════╗ ║ ┌───────────┐ ║ ║ ┌───────────┐ ║ ║ │ GroupA │◀────╬─┐ ┌───╬───▶│ GroupB │ ║ ║ └───────────┘ ║ │ │ ║ └───────────┘ ║ ║ ▲ ║ │ │ ║ ▲ ║ ║ │ ║ │ │ ║ │ ║ ║ │ ║ │ │ ║ │ ║ ║ ┌───────────┐ ║ └───┼───╬────┌───────────┐ ║ ║ │ EgressA │─────╬─────┘ ║ │ IngressB │ ║ ║ └───────────┘ ║ ║ └───────────┘ ║ ║ ║ ║ ║ ╚════════════════════╝ ╚════════════════════╝
By having the ability to switch the parent, we avoid the cyclic reference by keeping all rules in a single stack.
If this happens, we also have to change the construct ID, because otherwise we might have two objects with the same ID if we have multiple reversed security group relationships.
╔═══════════════════════════════════╗ ║┌───────────┐ ║ ║│ GroupB │ ║ ║└───────────┘ ║ ║ ▲ ║ ║ │ ┌───────────┐ ║ ║ ├────"from A"──│ IngressB │ ║ ║ │ └───────────┘ ║ ║ │ ┌───────────┐ ║ ║ ├─────"to B"───│ EgressA │ ║ ║ │ └───────────┘ ║ ║ │ ┌───────────┐ ║ ║ └─────"to B"───│ EgressC │ ║ <-- oops ║ └───────────┘ ║ ╚═══════════════════════════════════╝
peer
- This parameter is required.connection
- This parameter is required.fromTo
- This parameter is required.public java.lang.Object toEgressRuleConfig()
toEgressRuleConfig
in interface IPeer
public java.lang.Object toIngressRuleConfig()
toIngressRuleConfig
in interface IPeer
public java.lang.Boolean getAllowAllOutbound()
getAllowAllOutbound
in interface ISecurityGroup
public java.lang.Boolean getCanInlineRule()
getCanInlineRule
in interface IPeer
public Connections getConnections()
getConnections
in interface IConnectable
public java.lang.String getSecurityGroupId()
getSecurityGroupId
in interface ISecurityGroup
@Deprecated public java.lang.String getSecurityGroupName()
public java.lang.String getSecurityGroupVpcId()
public java.lang.String getUniqueId()
getUniqueId
in interface IPeer
public Port getDefaultPort()