Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
AWS::EC2::SecurityGroupIngress
Adds an inbound rule to a security group.
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or from the instances associated with the specified security group.
You specify a protocol for each rule (for example, TCP). For TCP and UDP, you must also specify a port or port range. For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. You can use -1 to mean all types or all codes.
You must specify a source security group
(SourcePrefixListId, SourceSecurityGroupId, or SourceSecurityGroupName) or a
CIDR range (CidrIp or CidrIpv6).
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EC2::SecurityGroupIngress", "Properties" : { "CidrIp" :String, "CidrIpv6" :String, "Description" :String, "FromPort" :Integer, "GroupId" :String, "GroupName" :String, "IpProtocol" :String, "SourcePrefixListId" :String, "SourceSecurityGroupId" :String, "SourceSecurityGroupName" :String, "SourceSecurityGroupOwnerId" :String, "ToPort" :Integer} }
YAML
Type: AWS::EC2::SecurityGroupIngress Properties: CidrIp:StringCidrIpv6:StringDescription:StringFromPort:IntegerGroupId:StringGroupName:StringIpProtocol:StringSourcePrefixListId:StringSourceSecurityGroupId:StringSourceSecurityGroupName:StringSourceSecurityGroupOwnerId:StringToPort:Integer
Properties
CidrIp-
The IPv4 ranges.
Required: No
Type: String
Update requires: Replacement
CidrIpv6-
[VPC only] The IPv6 ranges.
Required: No
Type: String
Update requires: Replacement
Description-
Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously.
Required: No
Type: String
Update requires: No interruption
FromPort-
The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of
-1indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.Use this for ICMP and any protocol that uses ports.
Required: No
Type: Integer
Update requires: Replacement
GroupId-
The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
You must specify the
GroupNameproperty or theGroupIdproperty. For security groups that are in a VPC, you must use theGroupIdproperty.Required: No
Type: String
Update requires: Replacement
GroupName-
The name of the security group.
Constraints: Up to 255 characters in length. Cannot start with
sg-.Constraints for EC2-Classic: ASCII characters
Constraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
Required: No
Type: String
Update requires: Replacement
IpProtocol-
The IP protocol name (
tcp,udp,icmp,icmpv6) or number (see Protocol Numbers). [VPC only] Use
-1to specify all protocols. When authorizing security group rules, specifying-1or a protocol number other thantcp,udp,icmp, oricmpv6allows traffic on all ports, regardless of any port range you specify. Fortcp,udp, andicmp, you must specify a port range. Foricmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.Required: Yes
Type: String
Update requires: Replacement
SourcePrefixListId-
[EC2-VPC only] The prefix list IDs for an AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
Required: No
Type: String
Update requires: Replacement
SourceSecurityGroupId-
The ID of the security group. You must specify either the security group ID or the security group name. For security groups in a nondefault VPC, you must specify the security group ID.
Required: No
Type: String
Update requires: Replacement
SourceSecurityGroupName-
[EC2-Classic, default VPC] The name of the source security group.
You must specify the
GroupNameproperty or theGroupIdproperty. For security groups that are in a VPC, you must use theGroupIdproperty.Required: No
Type: String
Update requires: Replacement
SourceSecurityGroupOwnerId-
[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access.
If you specify
SourceSecurityGroupNameorSourceSecurityGroupIdand that security group is owned by a different account than the account creating the stack, you must specify theSourceSecurityGroupOwnerId; otherwise, this property is optional.Required: Conditional
Type: String
Update requires: Replacement
ToPort-
The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of
-1indicates all ICMP/ICMPv6 codes for the specified ICMP type. If you specify all ICMP/ICMPv6 types, you must specify all codes.Use this for ICMP and any protocol that uses ports.
Required: No
Type: Integer
Update requires: Replacement
Examples
EC2 Security Group and Ingress Rule
To declare an Amazon EC2 (non-VPC) security group and an ingress rule, use the SourceSecurityGroupName property in the ingress rule.
The following template example defines an EC2 security group with an ingress rule that allows incoming traffic on port 80 from any other host in the security group.
JSON
"SGBase": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Base Security Group", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0", "FromPort": 22, "ToPort": 22 } ] } }, "SGBaseIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupName": { "Ref": "SGBase" }, "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "SourceSecurityGroupId": { "Fn::GetAtt": [ "SGBase", "GroupId" ] } } }
YAML
SGBase: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Base Security Group SecurityGroupIngress: - IpProtocol: tcp CidrIp: 0.0.0.0/0 FromPort: 22 ToPort: 22 SGBaseIngress: Type: 'AWS::EC2::SecurityGroupIngress' Properties: GroupName: !Ref SGBase IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: !GetAtt SGBase.GroupId
Allow Traffic from a Security Group in a Peered VPC
Like the previous example, the following example allows one-way traffic from an
originating (source) security group to a destination (target) security group. However,
in
this example the security groups are in peered VPCs across AWS accounts. You might
want to
allow cross-account traffic if, for example, you create a security scanning resource
in one
AWS account that you'll use to run diagnostics in another account. This example adds
an
ingress rule to a target VPC security group that allows incoming traffic from a source
security group in a different AWS account. Note that the source security group also
needs an
egress rule that allows outgoing traffic to the target security group. Because the
source
security group is in a different account, the following example doesn't use the Ref
function
to reference the source security group ID but instead directly specifies the security
group
ID sg-12345678.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "TargetSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": "vpc-1a2b3c4d", "GroupDescription": "Security group allowing ingress for security scanners" } }, "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] }, "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "SourceSecurityGroupId": "sg-12345678", "SourceSecurityGroupOwnerId": "123456789012" } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Resources: TargetSG: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: vpc-1a2b3c4d GroupDescription: Security group allowing ingress for security scanners InboundRule: Type: 'AWS::EC2::SecurityGroupIngress' Properties: GroupId: !GetAtt TargetSG.GroupId IpProtocol: tcp FromPort: '80' ToPort: '80' SourceSecurityGroupId: sg-12345678 SourceSecurityGroupOwnerId: '123456789012'
VPC Security Groups with Egress and Ingress Rules
In some cases, you might have an originating (source) security group to which you want to add an outbound rule that allows traffic to a destination (target) security group. The target security group also needs an inbound rule that allows traffic from the source security group. Note that you cannot use the Ref function to specify the outbound and inbound rules for each security group. Doing so creates a circular dependency; you cannot have two resources that depend on each other. Instead, use the egress and ingress resources to declare these outbound and inbound rules, as shown in the following template example.
JSON
"Resources": { "SourceSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId" : "vpc-1a2b3c4d", "GroupDescription": "Sample source security group" } }, "TargetSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId" : "vpc-1a2b3c4d", "GroupDescription": "Sample target security group" } }, "OutboundRule": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties":{ "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] } } }, "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties":{ "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "SourceSecurityGroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] } } } }
YAML
SourceSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: vpc-1a2b3c4d GroupDescription: Sample source security group TargetSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: vpc-1a2b3c4d GroupDescription: Sample target security group OutboundRule: Type: AWS::EC2::SecurityGroupEgress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 DestinationSecurityGroupId: Fn::GetAtt: - TargetSG - GroupId GroupId: Fn::GetAtt: - SourceSG - GroupId InboundRule: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 SourceSecurityGroupId: Fn::GetAtt: - SourceSG - GroupId GroupId: Fn::GetAtt: - TargetSG - GroupId
Allow Ping Requests
To allow ping requests, add the ICMP protocol type and specify 8 (echo request) for the ICMP type and either 0 or -1 (all) for the ICMP code.
JSON
"SGPing" : { "Type" : "AWS::EC2::SecurityGroup", "DependsOn": "VPC", "Properties" : { "GroupDescription" : "SG to test ping", "VpcId" : {"Ref" : "VPC"}, "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "10.0.0.0/24" }, { "IpProtocol" : "icmp", "FromPort" : 8, "ToPort" : -1, "CidrIp" : "10.0.0.0/24" } ] } }
YAML
SGPing: Type: AWS::EC2::SecurityGroup DependsOn: VPC Properties: GroupDescription: SG to test ping VpcId: Ref: VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 10.0.0.0/24 - IpProtocol: icmp FromPort: 8 ToPort: -1 CidrIp: 10.0.0.0/24
