Working with Amazon EC2 Security Groups - AWS SDK for Ruby

Working with Amazon EC2 Security Groups

An Amazon EC2 security group acts as a virtual firewall that controls the traffic for one or more instances. You add rules to each security group to allow traffic to or from its associated instances. You can modify the rules for a security group at any time. The new rules are automatically applied to all instances that are associated with the security group.

For more information about the Amazon EC2 security groups, see:

In this example, we use the AWS SDK for Ruby with Amazon EC2 to:

  1. Create a security group.

  2. Add rules to the security group.

  3. Get information about security groups.

  4. Delete the security group.

The full sample script containing all of the following examples is available on GitHub.

Prerequisites

Before working with the code below, you need to install and configure the AWS SDK for Ruby. See the following:

You’ll also need to create a VPC and note the VPC ID.

Configure the SDK

First you need the AWS SDK for Ruby, and you need to create an EC2 client. Then provide a name for the security group you’ll create. You also need to provide the ID of our VPC, which is available in the console after the VPC is created. Be sure that you replace ``VPC-ID`` with your actual VPC ID.

You use the security_group_created variable later in the script to determine if a security group was created and can therefore be deleted.

Create a Security Group

Create a security group that allows access over ports 22 (SSH) and 80 (HTTP) from all addresses (CIDR block 0.0.0.0/0).

If the begin block executes without exception, set security_group_created to true.

Get Information about a Security Group

Having created a security group, you output information about your existing security groups and their IP permissions.

Delete a Security Group

At the end of the script, assuming that you successfully created a security group and the security_group_created flag is set to true, you delete the security group.

# Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. # # This file is licensed under the Apache License, Version 2.0 (the "License"). # You may not use this file except in compliance with the License. A copy of the # License is located at # # http://aws.amazon.com/apache2.0/ # # This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS # OF ANY KIND, either express or implied. See the License for the specific # language governing permissions and limitations under the License. # Demonstrates how to: # 1. Create a security group. # 2. Add rules to the security group. # 3. Get information about security groups. # 4. Delete the security group. require 'aws-sdk-ec2' # v2: require 'aws-sdk' ec2 = Aws::EC2::Client.new(region: 'us-east-1') security_group_name = "my-security-group" vpc_id = "VPC-ID" # For example, "vpc-1234ab56". security_group_created = false # Used later to determine whether it's okay to delete the security group. # Create a security group. begin create_security_group_result = ec2.create_security_group({ group_name: security_group_name, description: "An example description for my security group.", vpc_id: vpc_id }) # Add rules to the security group. # For example, allow all inbound HTTP and SSH traffic. ec2.authorize_security_group_ingress({ group_id: create_security_group_result.group_id, ip_permissions: [ { ip_protocol: "tcp", from_port: 80, to_port: 80, ip_ranges: [ { cidr_ip: "0.0.0.0/0", } ] }, { ip_protocol: "tcp", from_port: 22, to_port: 22, ip_ranges: [ { cidr_ip: "0.0.0.0/0", } ] } ] }) security_group_created = true rescue Aws::EC2::Errors::InvalidGroupDuplicate puts "A security group with the name '#{security_group_name}' already exists." end # Get information about your security groups. # This method gets information about an individual IP permission. # The code is identical for calling ip_permissions and ip_permissions_egress later, # so making a method out of it to reduce duplicated code. def describe_ip_permission(ip_permission) puts "-" * 22 puts "IP Protocol: #{ip_permission.ip_protocol}" puts "From Port: #{ip_permission.from_port}" puts "To Port: #{ip_permission.to_port}" if ip_permission.ip_ranges.count > 0 puts "IP Ranges:" ip_permission.ip_ranges.each do |ip_range| puts " #{ip_range.cidr_ip}" end end if ip_permission.ipv_6_ranges.count > 0 puts "IPv6 Ranges:" ip_permission.ipv_6_ranges.each do |ipv_6_range| puts " #{ipv_6_range.cidr_ipv_6}" end end if ip_permission.prefix_list_ids.count > 0 puts "Prefix List IDs:" ip_permission.prefix_list_ids.each do |prefix_list_id| puts " #{prefix_list_id.prefix_list_id}" end end if ip_permission.user_id_group_pairs.count > 0 puts "User ID Group Pairs:" ip_permission.user_id_group_pairs.each do |user_id_group_pair| puts " ." * 7 puts " Group ID: #{user_id_group_pair.group_id}" puts " Group Name: #{user_id_group_pair.group_name}" puts " Peering Status: #{user_id_group_pair.peering_status}" puts " User ID: #{user_id_group_pair.user_id}" puts " VPC ID: #{user_id_group_pair.vpc_id}" puts " VPC Peering Connection ID: #{user_id_group_pair.vpc_peering_connection_id}" end end end describe_security_groups_result = ec2.describe_security_groups describe_security_groups_result.security_groups.each do |security_group| puts "\n" puts "*" * (security_group.group_name.length + 12) puts "Group Name: #{security_group.group_name}" puts "Group ID: #{security_group.group_id}" puts "Description: #{security_group.description}" puts "VPC ID: #{security_group.vpc_id}" puts "Owner ID: #{security_group.owner_id}" if security_group.ip_permissions.count > 0 puts "=" * 22 puts "IP Permissions:" security_group.ip_permissions.each do |ip_permission| describe_ip_permission(ip_permission) end end if security_group.ip_permissions_egress.count > 0 puts "=" * 22 puts "IP Permissions Egress:" security_group.ip_permissions_egress.each do |ip_permission| describe_ip_permission(ip_permission) end end if security_group.tags.count > 0 puts "=" * 22 puts "Tags:" security_group.tags.each do |tag| puts " #{tag.key} = #{tag.value}" end end end # Delete the security group if it was created earlier. if security_group_created ec2.delete_security_group({ group_id: create_security_group_result.group_id }) end