Create a security group, and optionally associate it with AWS resources.
Full classification: Deployment | Advanced stack components | Security group | Create (review required)
Change Type Details
Change type ID |
ct-1oxx2g2d7hc90 |
Current version |
2.0 |
Expected execution duration |
240 minutes |
AWS approval |
Required |
Customer approval |
Not required if submitter |
Execution mode |
Manual |
Additional Information
Create security group (review required)
Screenshot of this change type in the AMS console:
How it works:
Navigate to the Create RFC page: In the left navigation pane of the AMS console click RFCs to open the RFCs list page, and then click Create RFC.
Choose a popular change type (CT) in the default Browse change types view, or select a CT in the Choose by category view.
Browse by change type: You can click on a popular CT in the Quick create area to immediately open the Run RFC page. Note that you cannot choose an older CT version with quick create.
To sort CTs, use the All change types area in either the Card or Table view. In either view, select a CT and then click Create RFC to open the Run RFC page. If applicable, a Create with older version option appears next to the Create RFC button.
Choose by category: Select a category, subcategory, item, and operation and the CT details box opens with an option to Create with older version if applicable. Click Create RFC to open the Run RFC page.
On the Run RFC page, open the CT name area to see the CT details box. A Subject is required (this is filled in for you if you choose your CT in the Browse change types view). Open the Additional configuration area to add information about the RFC.
In the Execution configuration area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the Additional configuration area.
When finished, click Run. If there are no errors, the RFC successfully created page displays with the submitted RFC details, and the initial Run output.
Open the Run parameters area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page.
Screenshot of this change type in the AMS console:
How it works:
Navigate to the Create RFC page: In the left navigation pane of the AMS console click RFCs to open the RFCs list page, and then click Create RFC.
Choose a popular change type (CT) in the default Browse change types view, or select a CT in the Choose by category view.
Browse by change type: You can click on a popular CT in the Quick create area to immediately open the Run RFC page. Note that you cannot choose an older CT version with quick create.
To sort CTs, use the All change types area in either the Card or Table view. In either view, select a CT and then click Create RFC to open the Run RFC page. If applicable, a Create with older version option appears next to the Create RFC button.
Choose by category: Select a category, subcategory, item, and operation and the CT details box opens with an option to Create with older version if applicable. Click Create RFC to open the Run RFC page.
On the Run RFC page, open the CT name area to see the CT details box. A Subject is required (this is filled in for you if you choose your CT in the Browse change types view). Open the Additional configuration area to add information about the RFC.
In the Execution configuration area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the Additional configuration area.
When finished, click Run. If there are no errors, the RFC successfully created page displays with the submitted RFC details, and the initial Run output.
Open the Run parameters area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page.
How it works:
Use either the Inline Create (you issue a
create-rfccommand with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue thecreate-rfccommand with the two files as input. Both methods are described here.Submit the RFC:
aws amscm submit-rfc --rfc-idcommand with the returned RFC ID.IDMonitor the RFC:
aws amscm get-rfc --rfc-idcommand.ID
To check the change type version, use this command:
aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID
Note
You can use any CreateRfc parameters with any RFC whether or not they are part of the schema for the
change type. For example, to get notifications when the RFC status changes, add this line, --notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}" to the
RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the
AMS Change Management API Reference.
INLINE CREATE:
Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this:
aws --profile saml amscm create-rfc --change-type-id "ct-1oxx2g2d7hc90" --change-type-version "2.0" --title "Test-SG-RR" --execution-parameters "{\"Description\":\"Test-SG-RR\", \"Name\":\"Test-SG-IC\", \"InboundRules\":{\"Protocol\":\"TCP\", \"PortRange\":\"49152-65535\, \"Source\":\"203.0.113.5/32\"}, \"OutboundRules\":{\"Protocol\":\"TCP\", \"PortRange\":\"49152-65535\, \"Destination\":\"203.0.113.5/32\"}}"
TEMPLATE CREATE:
Output the execution parameters JSON schema for this change type to a file; this example names it CreateSgRrParams.json.
aws amscm get-change-type-version --change-type-id "ct-1oxx2g2d7hc90" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateSgRrParams.jsonModify and save the CreateSgRrParams file. For example, you can replace the contents with something like this:
{ "Description": "SG-Create-With-Review", "Name": "My-SG", "VpcId": "vpc-12345abc", "InboundRules": { "Protocol": "TRAFFIC_PROTOCOL", "PortRange": "PORT_RANGE", "Source": "TRAFFIC_SOURCE" }, "OutboundRules": { "Protocol": "TRAFFIC_PROTOCOL", "PortRange": "PORT_RANGE", "Destination": "TRAFFIC_DESTINATION" } }Output the RFC template JSON file to a file named CreateSgRrRfc.json:
aws amscm create-rfc --generate-cli-skeleton > CreateSgRrRfc.jsonModify and save the CreateSgRrRfc.json file. For example, you can replace the contents with something like this:
{ "ChangeTypeVersion": "2.0", "ChangeTypeId": "ct-1oxx2g2d7hc90", "Title": "SG-Create-RR-RFC" }Create the RFC, specifying the CreateSgRrRfc file and the CreateSgRrParams file:
aws amscm create-rfc --cli-input-json file://CreateSgRrRfc.json --execution-parameters file://CreateSgRrParams.jsonYou receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start.
Note
There is an automated change type for creating a security group, Deployment | Advanced stack components | Security group | Create (no review required) (ct-3pc215bnwb6p7) that provides options for TCP and ICMP ingress and egress rules. If those rules are adequate, the Create (auto) change type will execute more quickly than this change type. For details, see Security Group | Create.
Note
Once the security group is created, use Security Group | Associate to associate the security group with your AMS resources. In order to delete a security group, it must have associated resources.
Note
Outbound rules are not required; however, if they are not specified, then a "127.0.0.1/32 Blackhole Rule" is used, meaning that the resource will only be able to communicate to itself and not with other resources. You can see this default outbound rule when using the AMS console, but not when using the AMS API/CLI.
This is a "review required" change type (an AMS operator must review and run the CT), which means that the RFC can take longer to run and you might have to communicate with AMS through the RFC details page correspondance option. Additionally, if you schedule a "review required" change type RFC, be sure to allow at least 24 hours, if approval does not happen before the scheduled start time, the RFC is rejected automatically.
To learn more about AWS security groups and creating security groups, see Security Group Rules Reference; this page can help you determine the rules you want and, importantly, how to name your security group so choosing it when creating other resources is intuitive. Also see Amazon EC2 Security Groups for Linux Instances and/or Security Groups for Your VPC.
To better understand general AWS security, see
Best Practices for Security, Identity, & Compliance
Once the security group is created, use Security Group | Associate to associate the security group with your AMS resources. In order to delete a security group, it must have associated resources.
Execution Input Parameters
For detailed information about the execution input parameters, see Schema for Change Type ct-1oxx2g2d7hc90.
Example: Required Parameters
{
"VpcId": "vpc-12345abc",
"Name": "app1-webserver",
"Description": "App1 group",
"InboundRules": [],
"OutboundRules": []
}
Example: All Parameters
{
"VpcId": "vpc-1234abcd",
"Name": "app1-webserver",
"Description": "App1 group",
"AssociatedResources": [
"i-1234abcd",
"i-234abcd1",
"i-34abcd12",
"i-4abcd123",
"i-abcd1234",
"i-1234567890abcdefg",
"i-234567890abcdefg1",
"i-34567890abcdefg12",
"i-4567890abcdefg123",
"i-567890abcdefg1234"
],
"InboundRules": [
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "TCP", "PortRange":"80", "Source": "192.168.0.0/16", "Description": "Client1" }
],
"OutboundRules": [
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" },
{ "Protocol": "ALL", "PortRange": "ALL", "Destination": "192.168.0.0/16", "Description": "Client1" }
],
"Priority": "Medium",
"Tags": [
{ "Key": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV", "Value": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrst" },
{ "Key": "B", "Value": "bb" },
{ "Key": "C", "Value": "cc" },
{ "Key": "D", "Value": "dd" },
{ "Key": "E", "Value": "ee" },
{ "Key": "F", "Value": "ff" },
{ "Key": "G", "Value": "gg" },
{ "Key": "H", "Value": "hh" },
{ "Key": "I", "Value": "ii" },
{ "Key": "J", "Value": "jj" },
{ "Key": "K", "Value": "kk" },
{ "Key": "L", "Value": "ll" },
{ "Key": "M", "Value": "mm" },
{ "Key": "N", "Value": "nn" },
{ "Key": "O", "Value": "oo" },
{ "Key": "P", "Value": "pp" },
{ "Key": "Q", "Value": "qq" },
{ "Key": "R", "Value": "rr" },
{ "Key": "S", "Value": "ss" },
{ "Key": "T", "Value": "tt" },
{ "Key": "U", "Value": "uu" },
{ "Key": "V", "Value": "vv" },
{ "Key": "W", "Value": "ww" },
{ "Key": "X", "Value": "xx" },
{ "Key": "Y", "Value": "yy" },
{ "Key": "Z", "Value": "zz" },
{ "Key": "a", "Value": "aa" },
{ "Key": "b", "Value": "bb" },
{ "Key": "c", "Value": "cc" },
{ "Key": "d", "Value": "dd" },
{ "Key": "e", "Value": "ee" },
{ "Key": "f", "Value": "ff" },
{ "Key": "g", "Value": "gg" },
{ "Key": "h", "Value": "hh" },
{ "Key": "i", "Value": "ii" },
{ "Key": "j", "Value": "jj" },
{ "Key": "k", "Value": "kk" },
{ "Key": "l", "Value": "ll" },
{ "Key": "m", "Value": "mm" },
{ "Key": "n", "Value": "nn" },
{ "Key": "o", "Value": "oo" },
{ "Key": "p", "Value": "pp" },
{ "Key": "q", "Value": "qq" },
{ "Key": "r", "Value": "rr" },
{ "Key": "s", "Value": "ss" },
{ "Key": "t", "Value": "tt" },
{ "Key": "u", "Value": "uu" },
{ "Key": "v", "Value": "vv" },
{ "Key": "w", "Value": "ww" },
{ "Key": "x", "Value": "xx" }
]
}
