AWS SDK for Ruby
Developer Guide

Working with Amazon EC2 Security Groups

An Amazon EC2 security group acts as a virtual firewall that controls the traffic for one or more instances. You add rules to each security group to allow traffic to or from its associated instances. You can modify the rules for a security group at any time. The new rules are automatically applied to all instances that are associated with the security group.

For more information about the Amazon EC2 security groups, see:

In this example, we use the AWS SDK for Ruby with Amazon EC2 to:

  1. Create a security group.

  2. Add rules to the security group.

  3. Get information about security groups.

  4. Delete the security group.

The full sample script containing all of the following examples is available on GitHub.

Prerequisites

Before working with the code below, you need to install and configure the AWS SDK for Ruby. See the following:

You'll also need to create a VPC and note the VPC ID.

Configure the SDK

First you need the AWS SDK for Ruby, and you need to create an EC2 client. Then provide a name for the security group you'll create. You also need to provide the ID of our VPC, which is available in the console after the VPC is created. Be sure that you replace ``VPC-ID`` with your actual VPC ID.

require 'aws-sdk-ec2' # v2: require 'aws-sdk' ec2 = Aws::EC2::Client.new(region: 'us-east-1') security_group_name = "my-security-group" vpc_id = "VPC-ID" # For example, "vpc-1234ab56". security_group_created = false # Used later to determine whether it's okay to delete the security group.

You use the security_group_created variable later in the script to determine if a security group was created and can therefore be deleted.

Create a Security Group

Create a security group that allows access over ports 22 (SSH) and 80 (HTTP) from all addresses (CIDR block 0.0.0.0/0).

# Create a security group. begin create_security_group_result = ec2.create_security_group({ group_name: security_group_name, description: "An example description for my security group.", vpc_id: vpc_id }) # Add rules to the security group. # For example, allow all inbound HTTP and SSH traffic. ec2.authorize_security_group_ingress({ group_id: create_security_group_result.group_id, ip_permissions: [ { ip_protocol: "tcp", from_port: 80, to_port: 80, ip_ranges: [ { cidr_ip: "0.0.0.0/0", } ] }, { ip_protocol: "tcp", from_port: 22, to_port: 22, ip_ranges: [ { cidr_ip: "0.0.0.0/0", } ] } ] }) security_group_created = true rescue Aws::EC2::Errors::InvalidGroupDuplicate puts "A security group with the name '#{security_group_name}' already exists." end

If the begin block executes without exception, set security_group_created to true.

Get Information about a Security Group

Having created a security group, you output information about your existing security groups and their IP permissions.

def describe_ip_permission(ip_permission) puts "-" * 22 puts "IP Protocol: #{ip_permission.ip_protocol}" puts "From Port: #{ip_permission.from_port.to_s}" puts "To Port: #{ip_permission.to_port.to_s}" if ip_permission.ip_ranges.count > 0 puts "IP Ranges:" ip_permission.ip_ranges.each do |ip_range| puts " #{ip_range.cidr_ip}" end end if ip_permission.ipv_6_ranges.count > 0 puts "IPv6 Ranges:" ip_permission.ipv_6_ranges.each do |ipv_6_range| puts " #{ipv_6_range.cidr_ipv_6}" end end if ip_permission.prefix_list_ids.count > 0 puts "Prefix List IDs:" ip_permission.prefix_list_ids.each do |prefix_list_id| puts " #{prefix_list_id.prefix_list_id}" end end if ip_permission.user_id_group_pairs.count > 0 puts "User ID Group Pairs:" ip_permission.user_id_group_pairs.each do |user_id_group_pair| puts " ." * 7 puts " Group ID: #{user_id_group_pair.group_id}" puts " Group Name: #{user_id_group_pair.group_name}" puts " Peering Status: #{user_id_group_pair.peering_status}" puts " User ID: #{user_id_group_pair.user_id}" puts " VPC ID: #{user_id_group_pair.vpc_id}" puts " VPC Peering Connection ID: #{user_id_group_pair.vpc_peering_connection_id}" end end end describe_security_groups_result = ec2.describe_security_groups describe_security_groups_result.security_groups.each do |security_group| puts "\n" puts "*" * (security_group.group_name.length + 12) puts "Group Name: #{security_group.group_name}" puts "Group ID: #{security_group.group_id}" puts "Description: #{security_group.description}" puts "VPC ID: #{security_group.vpc_id}" puts "Owner ID: #{security_group.owner_id}" if security_group.ip_permissions.count > 0 puts "=" * 22 puts "IP Permissions:" security_group.ip_permissions.each do |ip_permission| describe_ip_permission(ip_permission) end end if security_group.ip_permissions_egress.count > 0 puts "=" * 22 puts "IP Permissions Egress:" security_group.ip_permissions_egress.each do |ip_permission| describe_ip_permission(ip_permission) end end if security_group.tags.count > 0 puts "=" * 22 puts "Tags:" security_group.tags.each do |tag| puts " #{tag.key} = #{tag.value}" end end end

Delete a Security Group

At the end of the script, assuming that you successfully created a security group and the security_group_created flag is set to true, you delete the security group.

if security_group_created ec2.delete_security_group({ group_id: create_security_group_result.group_id }) end