Sign In to the Console
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS Documentation » AWS CloudFormation » User Guide » Template Reference » AWS Resource and Property Types Reference » Amazon EC2 Resource Types Reference » AWS::EC2::SecurityGroup » EC2 Security Group Rule Property Type

EC2 Security Group Rule Property Type

The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup type.

Syntax SecurityGroupIngress

JSON

{
  "CidrIp" : String,
  "CidrIpv6" : String,
  "Description" : String,
  "FromPort" : Integer,
  "IpProtocol" : String,
  "SourceSecurityGroupId" : String,
  "SourceSecurityGroupName" : String,
  "SourceSecurityGroupOwnerId" : String,
  "ToPort" : Integer
}

YAML

CidrIp: String
CidrIpv6: String
Description: String
FromPort: Integer
IpProtocol: String
SourceSecurityGroupId: String
SourceSecurityGroupName: String
SourceSecurityGroupOwnerId: String
ToPort: Integer

Syntax SecurityGroupEgress

JSON

{
  "CidrIp" : String,
  "CidrIpv6" : String,
  "Description" : String,
  "DestinationPrefixListId" : String,
  "DestinationSecurityGroupId" : String,
  "FromPort" : Integer,
  "IpProtocol" : String,
  "ToPort" : Integer
}

YAML

CidrIp: String
CidrIpv6: String
Description: String
DestinationPrefixListId: String
DestinationSecurityGroupId: String
FromPort: Integer
IpProtocol: String
ToPort: Integer

Properties

CidrIp

Specifies an IPv4 CIDR range.

Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

CidrIpv6

Specifies an IPv6 CIDR range.

Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

Description

Description of the security group rule.

Type: String

DestinationPrefixListId (SecurityGroupEgress only)

The AWS service prefix of an Amazon VPC endpoint. For more information, see VPC Endpoints in the Amazon VPC User Guide.

Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

DestinationSecurityGroupId (SecurityGroupEgress only)

Specifies the GroupId of the destination Amazon VPC security group.

Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

FromPort

The start of port range for the TCP and UDP protocols, or an ICMP type number. An ICMP type number of -1 indicates a wildcard (i.e., any ICMP type number).

Required: No

Type: Integer

IpProtocol

An IP protocol name or number. For valid values, go to the IpProtocol parameter in AuthorizeSecurityGroupIngress

Required: Yes

Type: String

SourceSecurityGroupId (SecurityGroupIngress only)

For VPC security groups only. Specifies the ID of the Amazon EC2 Security Group to allow access. You can use the Ref intrinsic function to refer to the logical ID of a security group defined in the same template.

Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

SourceSecurityGroupName (SecurityGroupIngress only)

For non-VPC security groups only. Specifies the name of the Amazon EC2 Security Group to use for access. You can use the Ref intrinsic function to refer to the logical name of a security group that is defined in the same template.

Required: Conditional. If you specify CidrIp, do not specify SourceSecurityGroupName.

Type: String

SourceSecurityGroupOwnerId (SecurityGroupIngress only)

Specifies the AWS Account ID of the owner of the Amazon EC2 Security Group that is specified in the SourceSecurityGroupName property.

Required: Conditional. If you specify SourceSecurityGroupName and that security group is owned by a different account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional.

Type: String

ToPort

The end of port range for the TCP and UDP protocols, or an ICMP code. An ICMP code of -1 indicates a wildcard (i.e., any ICMP code).

Required: No

Type: Integer

Examples

Security Group with CidrIp

JSON

"InstanceSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Enable SSH access via port 22",
      "SecurityGroupIngress" : [ {
         "IpProtocol" : "tcp",
         "FromPort" : 22,
         "ToPort" : 22,
         "CidrIp" : "0.0.0.0/0"
      } ]
   }
}

YAML

InstanceSecurityGroup: 
  Type: AWS::EC2::SecurityGroup
  Properties: 
    GroupDescription: "Enable SSH access via port 22"
    SecurityGroupIngress: 
      - 
        IpProtocol: "tcp"
        FromPort: 22
        ToPort: 22
        CidrIp: "0.0.0.0/0"

Security Group with Security Group Id

JSON

"InstanceSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Enable HTTP access on the configured port",
      "VpcId" : { "Ref" : "VpcId" },
      "SecurityGroupIngress" : [ {
         "IpProtocol" : "tcp",
         "FromPort" : { "Ref" : "WebServerPort" },
         "ToPort" : { "Ref" : "WebServerPort" },
         "SourceSecurityGroupId" : { "Ref" : "LoadBalancerSecurityGroup" }
      } ]
   }
}

YAML

InstanceSecurityGroup: 
  Type: AWS::EC2::SecurityGroup
  Properties: 
    GroupDescription: "Enable HTTP access on the configured port"
    VpcId: 
      Ref: "VpcId"
    SecurityGroupIngress: 
      - 
        IpProtocol: "tcp"
        FromPort: 
          Ref: "WebServerPort"
        ToPort: 
          Ref: "WebServerPort"
        SourceSecurityGroupId: 
          Ref: "LoadBalancerSecurityGroup"

Security Group with Multiple Ingress Rules

This snippet grants SSH access with CidrIp, and HTTP access with SourceSecurityGroupName. Fn::GetAtt is used to derive the values for SourceSecurityGroupName and SourceSecurityGroupOwnerId from the elastic load balancer.

JSON

"ElasticLoadBalancer" : {
   "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
   "Properties" : {
      "AvailabilityZones" : { "Fn::GetAZs" : "" },
      "Listeners" : [ {
         "LoadBalancerPort" : "80",
         "InstancePort" : { "Ref" : "WebServerPort" },
         "Protocol" : "HTTP"
      } ],
      "HealthCheck" : {
         "Target" : { "Fn::Join" : [ "", ["HTTP:", { "Ref" : "WebServerPort" }, "/"]]},
         "HealthyThreshold" : "3",
         "UnhealthyThreshold" : "5",
         "Interval" : "30",
         "Timeout" : "5"
      }
   }
},

"InstanceSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Allow SSH access from all IP addresses and HTTP from the load balancer only",
      "SecurityGroupIngress" : [ {
         "IpProtocol" : "tcp",
         "FromPort" : 22,
         "ToPort" : 22,
         "CidrIp" : "0.0.0.0/0"
      }, {
         "IpProtocol" : "tcp",
         "FromPort" : { "Ref" : "WebServerPort" },
         "ToPort" : { "Ref" : "WebServerPort" },
         "SourceSecurityGroupOwnerId" : {"Fn::GetAtt" : ["ElasticLoadBalancer", "SourceSecurityGroup.OwnerAlias"]},
         "SourceSecurityGroupName" : {"Fn::GetAtt" : ["ElasticLoadBalancer", "SourceSecurityGroup.GroupName"]}
      } ]
   }
}

YAML

ElasticLoadBalancer: 
  Type: AWS::ElasticLoadBalancing::LoadBalancer
  Properties: 
    AvailabilityZones: 
      Fn::GetAZs: ""
    Listeners: 
      - 
        LoadBalancerPort: "80"
        InstancePort: 
          Ref: "WebServerPort"
        Protocol: "HTTP"
    HealthCheck: 
      Target: 
        Fn::Join: 
          - ""
          - 
            - "HTTP:"
            - 
              Ref: "WebServerPort"
            - "/"
      HealthyThreshold: "3"
      UnhealthyThreshold: "5"
      Interval: "30"
      Timeout: "5"
InstanceSecurityGroup: 
  Type: AWS::EC2::SecurityGroup
  Properties: 
    GroupDescription: "Allow SSH access from all IP addresses and HTTP from the load balancer only"
    SecurityGroupIngress: 
      - 
        IpProtocol: "tcp"
        FromPort: 22
        ToPort: 22
        CidrIp: "0.0.0.0/0"
      - 
        IpProtocol: "tcp"
        FromPort: 
          Ref: "WebServerPort"
        ToPort: 
          Ref: "WebServerPort"
        SourceSecurityGroupOwnerId: 
          Fn::GetAtt: 
            - "ElasticLoadBalancer"
            - "SourceSecurityGroup.OwnerAlias"
        SourceSecurityGroupName: 
          Fn::GetAtt: 
            - "ElasticLoadBalancer"
            - "SourceSecurityGroup.GroupName"

See Also