Sign In to the Console
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS Documentation » AWS CloudFormation » User Guide » Template Reference » AWS Resource and Property Types Reference » Amazon EC2 Resource Types Reference » AWS::EC2::SecurityGroup

AWS::EC2::SecurityGroup

Creates an Amazon EC2 security group. To create a VPC security group, use the VpcId property.

This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

Important

If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup. Doing so creates a circular dependency, which AWS CloudFormation doesn't allow.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
     "GroupName" : String,
     "GroupDescription" : String,
     "SecurityGroupEgress" : [ Security Group Rule, ... ],
     "SecurityGroupIngress" : [ Security Group Rule, ... ],
     "Tags" :  [ Resource Tag, ... ],
     "VpcId" : String
  }
}

YAML


Type: AWS::EC2::SecurityGroup
Properties: 
  GroupName: String
  GroupDescription: String
  SecurityGroupEgress:
    - Security Group Rule
  SecurityGroupIngress:
    - Security Group Rule
  Tags:
    - Resource Tag
  VpcId: String

Properties

GroupName

The name of the security group. For valid values, see the GroupName parameter of the CreateSecurityGroup action in the Amazon EC2 API Reference.

If you don't specify a GroupName, AWS CloudFormation generates a unique physical ID and uses that ID for the group name. For more information, see Name Type.

Important

If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

Required: No

Type: String

Update requires: Replacement

GroupDescription

A description of the security group.

Required: Yes

Type: String

Update requires: Replacement

SecurityGroupEgress

A list of Amazon EC2 security group egress rules.

Required: No

Type: List of SecurityGroupRule

Update requires: No interruption

SecurityGroupIngress

A list of Amazon EC2 security group ingress rules.

Required: No

Type: List of SecurityGroupRule

Update requires: No interruption

Tags

The tags that you want to attach to the resource.

Required: No

Type: List of Resource Tag

Update requires: No interruption

VpcId

The physical ID of the VPC. You can obtain the physical ID by using a reference to an AWS::EC2::VPC, such as: { "Ref" : "myVPC" }.

For more information about using the Ref function, see Ref.

Required: Yes, for VPC security groups without a default VPC

Type: String

Update requires: Replacement

Note

For more information about VPC security groups, see Security Groups in the Amazon VPC User Guide.

Return Values

Ref

When you specify an AWS::EC2::SecurityGroup type as an argument to the Ref function, AWS CloudFormation returns the security group name or the security group ID (for EC2-VPC security groups that are not in a default VPC).

For more information about using the Ref function, see Ref.

Fn::GetAtt

Fn::GetAtt returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

GroupId

The group ID of the specified security group, such as sg-94b3a1f6.

For more information about using Fn::GetAtt, see Fn::GetAtt.

Examples

Define Basic Ingress and Egress Rules

The following example defines a security group with an ingress and egress rule.

JSON

"InstanceSecurityGroup" : {
   "Type" : "AWS::EC2::SecurityGroup",
   "Properties" : {
      "GroupDescription" : "Allow http to client host",
      "VpcId" : {"Ref" : "myVPC"},
      "SecurityGroupIngress" : [{
            "IpProtocol" : "tcp",
            "FromPort" : 80,
            "ToPort" : 80,
            "CidrIp" : "0.0.0.0/0"
         }],
      "SecurityGroupEgress" : [{
         "IpProtocol" : "tcp",
         "FromPort" : 80,
         "ToPort" : 80,
         "CidrIp" : "0.0.0.0/0"
      }]
   }
}

YAML

InstanceSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Allow http to client host
    VpcId:
      Ref: myVPC
    SecurityGroupIngress:
    - IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      CidrIp: 0.0.0.0/0
    SecurityGroupEgress:
    - IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      CidrIp: 0.0.0.0/0

Remove Default Rule

When you create a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location. The default rule is removed only when you specify one or more egress rules. If you want to remove the default rule and limit egress traffic to just the localhost (127.0.0.1/32), use the following example.

JSON

"sgwithoutegress": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Limits security group egress traffic",
    "SecurityGroupEgress": [
      {
        "CidrIp": "127.0.0.1/32",
        "IpProtocol": "-1"
      }
    ],
    "VpcId": { "Ref": "myVPC"}
  }
}

YAML

sgwithoutegress:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Limits security group egress traffic
    SecurityGroupEgress:
    - CidrIp: 127.0.0.1/32
      IpProtocol: "-1"
    VpcId:
      Ref: myVPC

More Info