Work with security groups in Amazon EC2
Create a security group
To create a security group, call the Ec2Client’s createSecurityGroup method with a
CreateSecurityGroupRequest
that contains the key’s name.
Imports
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.ec2.Ec2Client; import software.amazon.awssdk.services.ec2.model.CreateSecurityGroupRequest; import software.amazon.awssdk.services.ec2.model.AuthorizeSecurityGroupIngressRequest; import software.amazon.awssdk.services.ec2.model.AuthorizeSecurityGroupIngressResponse; import software.amazon.awssdk.services.ec2.model.Ec2Exception; import software.amazon.awssdk.services.ec2.model.IpPermission; import software.amazon.awssdk.services.ec2.model.CreateSecurityGroupResponse; import software.amazon.awssdk.services.ec2.model.IpRange;
Code
CreateSecurityGroupRequest createRequest = CreateSecurityGroupRequest.builder() .groupName(groupName) .description(groupDesc) .vpcId(vpcId) .build(); CreateSecurityGroupResponse resp= ec2.createSecurityGroup(createRequest);
See the
complete example
Configure a security group
A security group can control both inbound (ingress) and outbound (egress) traffic to your Amazon EC2 instances.
To add ingress rules to your security group, use the Ec2Client’s authorizeSecurityGroupIngress
method, providing the name of the security group and the access rules
(IpPermission)
you want to assign to it within an
AuthorizeSecurityGroupIngressRequest
object. The following example shows how to add IP permissions to a security group.
Imports
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.ec2.Ec2Client; import software.amazon.awssdk.services.ec2.model.CreateSecurityGroupRequest; import software.amazon.awssdk.services.ec2.model.AuthorizeSecurityGroupIngressRequest; import software.amazon.awssdk.services.ec2.model.AuthorizeSecurityGroupIngressResponse; import software.amazon.awssdk.services.ec2.model.Ec2Exception; import software.amazon.awssdk.services.ec2.model.IpPermission; import software.amazon.awssdk.services.ec2.model.CreateSecurityGroupResponse; import software.amazon.awssdk.services.ec2.model.IpRange;
Code
First, create an Ec2Client
Region region = Region.US_WEST_2; Ec2Client ec2 = Ec2Client.builder() .region(region) .build();
Then use the Ec2Client’s authorizeSecurityGroupIngress method,
IpRange ipRange = IpRange.builder() .cidrIp("0.0.0.0/0").build(); IpPermission ipPerm = IpPermission.builder() .ipProtocol("tcp") .toPort(80) .fromPort(80) .ipRanges(ipRange) .build(); IpPermission ipPerm2 = IpPermission.builder() .ipProtocol("tcp") .toPort(22) .fromPort(22) .ipRanges(ipRange) .build(); AuthorizeSecurityGroupIngressRequest authRequest = AuthorizeSecurityGroupIngressRequest.builder() .groupName(groupName) .ipPermissions(ipPerm, ipPerm2) .build(); AuthorizeSecurityGroupIngressResponse authResponse = ec2.authorizeSecurityGroupIngress(authRequest); System.out.printf( "Successfully added ingress policy to Security Group %s", groupName); return resp.groupId(); } catch (Ec2Exception e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return ""; }
To add an egress rule to the security group, provide similar data in an
AuthorizeSecurityGroupEgressRequest
to the Ec2Client’s authorizeSecurityGroupEgress method.
See the
complete example
Describe security groups
To describe your security groups or get information about them, call the Ec2Client’s
describeSecurityGroups method. It returns a
DescribeSecurityGroupsResponse
that you can use to access the list of security groups by calling its securityGroups method,
which returns a list of
SecurityGroup
objects.
Imports
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.ec2.Ec2Client; import software.amazon.awssdk.services.ec2.model.DescribeSecurityGroupsRequest; import software.amazon.awssdk.services.ec2.model.DescribeSecurityGroupsResponse; import software.amazon.awssdk.services.ec2.model.SecurityGroup; import software.amazon.awssdk.services.ec2.model.Ec2Exception;
Code
public static void describeEC2SecurityGroups(Ec2Client ec2, String groupId) { try { DescribeSecurityGroupsRequest request = DescribeSecurityGroupsRequest.builder() .groupIds(groupId).build(); DescribeSecurityGroupsResponse response = ec2.describeSecurityGroups(request); for(SecurityGroup group : response.securityGroups()) { System.out.printf( "Found Security Group with id %s, " + "vpc id %s " + "and description %s", group.groupId(), group.vpcId(), group.description()); } } catch (Ec2Exception e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } }
See the
complete example
Delete a security group
To delete a security group, call the Ec2Client’s deleteSecurityGroup method, passing it a
DeleteSecurityGroupRequest
that contains the ID of the security group to delete.
Imports
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.ec2.Ec2Client; import software.amazon.awssdk.services.ec2.model.DeleteSecurityGroupRequest; import software.amazon.awssdk.services.ec2.model.Ec2Exception;
Code
public static void deleteEC2SecGroup(Ec2Client ec2,String groupId) { try { DeleteSecurityGroupRequest request = DeleteSecurityGroupRequest.builder() .groupId(groupId) .build(); ec2.deleteSecurityGroup(request); System.out.printf( "Successfully deleted Security Group with id %s", groupId); } catch (Ec2Exception e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } }
See the
complete example
More information
-
Amazon EC2 Security Groups in the Amazon EC2 User Guide for Linux Instances
-
Authorizing Inbound Traffic for Your Linux Instances in the Amazon EC2 User Guide for Linux Instances
-
CreateSecurityGroup in the Amazon EC2 API Reference
-
DescribeSecurityGroups in the Amazon EC2 API Reference
-
DeleteSecurityGroup in the Amazon EC2 API Reference
-
AuthorizeSecurityGroupIngress in the Amazon EC2 API Reference
