AWS Amazon EC2 Security Group

This page shows how to write Terraform and CloudFormation for Amazon EC2 Security Group and write them securely.

aws_default_security_group (Terraform)

The Security Group in Amazon EC2 can be configured in Terraform with the resource name aws_default_security_group. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

security_group.tf#L5
resource "aws_default_security_group" "default_security_group" {
  vpc_id = local.default_vpc_id
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
security-group.tf#L7
resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.isolated_vpc.id

  egress {
    from_port   = "443"
    to_port     = "443"
positive.tf#L1
resource "aws_default_security_group" "positive1" {
  vpc_id = aws_vpc.mainvpc.id

  ingress {
    protocol  = -1
    self      = true
main.tf#L17
resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.ok_vpc.id
}

resource "aws_default_security_group" "default_2" {
  vpc_id = aws_vpc.not_ok_vpc_2.id

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides a resource to manage a default security group. This resource can manage the default security group of the default or a non-default VPC.

NOTE: This is an advanced resource with special caveats. Please read this document in its entirety before using this resource. The aws_default_security_group resource behaves differently from normal resources. Terraform does not create this resource but instead attempts to "adopt" it into management. For EC2 Classic accounts, each region comes with a default security group. Additionally, each VPC created in AWS comes with a default security group that can be managed but not destroyed. When Terraform first adopts the default security group, it immediately removes all ingress and egress rules in the Security Group. It then creates any rules specified in the configuration. This way only the rules specified in the configuration are created. This resource treats its inline rules as absolute; only the rules defined inline are created, and any additions/removals external to this resource will result in diff shown. For these reasons, this resource is incompatible with the aws_security_group_rule resource. For more information about default security groups, see the AWS documentation on [Default Security Groups][aws-default-security-groups]. To manage normal security groups, see the aws_security_group resource.

Tips: Best Practices for The Other AWS Amazon EC2 Resources

In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_default_vpc

Ensure to avoid using default VPC

It is better to define the own VPC and use it.

risk-label

aws_network_acl_rule

Ensure your network ACL rule blocks unwanted inbound traffic

It is better to block unwanted inbound traffic.

risk-label

aws_ebs_volume

Ensure to use a customer-managed key for EBS volume encryption

It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).

risk-label

aws_instance

Ensure to avoid storing AWS access keys in user data

It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.

risk-label

aws_security_group

Ensure your security group blocks unwanted inbound traffic

It is better to block unwanted inbound traffic.

Review your AWS Amazon EC2 settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::EC2::SecurityGroup (CloudFormation)

The SecurityGroup in EC2 can be configured in CloudFormation with the resource name AWS::EC2::SecurityGroup. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

valid_security_group_with_egress.yml#L8
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: "some_group_desc"
      VpcId:
        Ref: VpcId
      Tags:
security-groups.yml#L7
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group - Redis
      GroupName: Security Group - Redis
      SecurityGroupIngress:
        - IpProtocol: tcp
2-wp-securitygroups.yml#L34
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for Bastion instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
EC2.yml#L3
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: 'Spotify'
      GroupDescription: for the app nodes that allow ssh, http and docker ports
      VpcId : !ImportValue VPCMusicfeel
      SecurityGroupIngress:
5-nemsg.yml#L23
    Type: AWS::EC2::SecurityGroup
    Properties:
      SecurityGroupIngress:
      - ToPort: 3389
        IpProtocol: tcp
        CidrIp: 0.0.0.0/0
AWS_EC2_VPC.json#L64
        "resourceType": "AWS::EC2::SecurityGroup",
        "resourceId": "sg-0d46b170",
        "relationshipName": "Contains SecurityGroup"
      },
      {
        "resourceType": "AWS::EC2::SecurityGroup",
cfn-euca9846-secgroups-template.json#L6
                        "Type":"AWS::EC2::SecurityGroup",
                        "Properties":{
                                "GroupDescription":"Cloudformation Group",
                                "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} } ]
                        }
                },
SG-Violation-UnrestrictedAccess.json#L133
            "Type": "AWS::EC2::SecurityGroup",
            "Properties": {
                "GroupDescription": "Allow http to client host",
                "SecurityGroupIngress": [
                    {
                        "IpProtocol": "tcp",
cfn-euca10029-template.json#L13
                        "Type":"AWS::EC2::SecurityGroup",
                        "Properties":{
                                "VpcId" : { "Ref" : "VPC" },
                                "GroupDescription":"Cloudformation Group",
                                "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} } ]
                        }
cfn-euca10029-99-sgs-template.json#L13
                        "Type":"AWS::EC2::SecurityGroup",
                        "Properties":{
                                "VpcId" : { "Ref" : "VPC" },
                                "GroupDescription":"Cloudformation Group",
                                "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} } ]
                        }

Parameters

Explanation in CloudFormation Registry

Specifies a security group. To create a security group, use the VpcId property to specify the VPC for which to create the security group.

This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

Important To cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup. Doing so creates a circular dependency, which AWS CloudFormation doesn't allow.

Frequently asked questions

What is AWS Amazon EC2 Security Group?

AWS Amazon EC2 Security Group is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon EC2 Security Group?

For Terraform, the chiehting/terraform, redhat-cop/ocp-disconnected-docs and Checkmarx/kics source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the stelligent/cfn-model, 99887710/Infrastructure-as-code and NuvOps/cfn-nested-wordpress source code examples are useful. See the CloudFormation Example section for further details.