AWS::EC2::SecurityGroup - AWS CloudFormation

AWS::EC2::SecurityGroup

Specifies a security group. To create a security group, use the VpcId property to specify the VPC for which to create the security group.

If you do not specify an egress rule, we add egress rules that allow IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules.

This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

Important

To cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup. Doing so creates a circular dependency, which AWS CloudFormation doesn't allow.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : String, "GroupName" : String, "SecurityGroupEgress" : [ Egress, ... ], "SecurityGroupIngress" : [ Ingress, ... ], "Tags" : [ Tag, ... ], "VpcId" : String } }

YAML

Type: AWS::EC2::SecurityGroup Properties: GroupDescription: String GroupName: String SecurityGroupEgress: - Egress SecurityGroupIngress: - Ingress Tags: - Tag VpcId: String

Properties

GroupDescription

A description for the security group.

Constraints: Up to 255 characters in length

Valid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

Required: Yes

Type: String

Update requires: Replacement

GroupName

The name of the security group.

Constraints: Up to 255 characters in length. Cannot start with sg-.

Valid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

Required: No

Type: String

Update requires: Replacement

SecurityGroupEgress

The outbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.

Required: No

Type: Array of Egress

Update requires: Some interruptions

SecurityGroupIngress

The inbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.

Required: No

Type: Array of Ingress

Update requires: Some interruptions

Tags

Any tags assigned to the security group.

Required: No

Type: Array of Tag

Update requires: No interruption

VpcId

The ID of the VPC for the security group. If you do not specify a VPC, the default is to use the default VPC for the Region. If there's no specified VPC and no default VPC, security group creation fails.

Required: Conditional

Type: String

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the security group if you specified the VpcId property. Otherwise, it returns the name of the security group. If you omit the VpcId property and need the ID of the VPC, use Fn::GetAtt instead.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

GroupId

The ID of the security group, such as sg-94b3a1f6.

VpcId

The ID of the VPC, such as vpc-0669f8f9.

Examples

Define basic ingress and egress rules

The following example specifies a security group with an ingress and egress rule.

JSON

"InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Allow http to client host", "VpcId" : {"Ref" : "myVPC"}, "SecurityGroupIngress" : [{ "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0" }], "SecurityGroupEgress" : [{ "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0" }] } }

YAML

InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: !Ref myVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0

Remove the default rule

When you specify a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location. The default rule is removed only when you specify one or more egress rules. If you want to remove the default rule and limit egress traffic to just the localhost (127.0.0.1/32), use the following example.

JSON

"sgwithoutegress": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Limits security group egress traffic", "SecurityGroupEgress": [{ "CidrIp": "127.0.0.1/32", "IpProtocol": "-1" }], "VpcId": { "Ref": "myVPC"} } }

YAML

sgwithoutegress: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Limits security group egress traffic SecurityGroupEgress: - CidrIp: 127.0.0.1/32 IpProtocol: "-1" VpcId: !Ref myVPC

Allow ping requests

To allow ping requests, add the ICMP protocol type and specify 8 (echo request) for the ICMP type and either 0 or -1 (all) for the ICMP code.

JSON

"SGPing" : { "Type" : "AWS::EC2::SecurityGroup", "DependsOn": "VPC", "Properties" : { "GroupDescription" : "SG to test ping", "VpcId" : {"Ref" : "VPC"}, "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "10.0.0.0/24" }, { "IpProtocol" : "icmp", "FromPort" : 8, "ToPort" : -1, "CidrIp" : "10.0.0.0/24" }] } }

YAML

SGPing: Type: AWS::EC2::SecurityGroup DependsOn: VPC Properties: GroupDescription: SG to test ping VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 10.0.0.0/24 - IpProtocol: icmp FromPort: 8 ToPort: -1 CidrIp: 10.0.0.0/24

See also