AWS Amazon EC2 Security Group
This page shows how to write Terraform and CloudFormation for Amazon EC2 Security Group and write them securely.
aws_default_security_group (Terraform)
The Security Group in Amazon EC2 can be configured in Terraform with the resource name aws_default_security_group. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_default_security_group" "default_security_group" {
vpc_id = local.default_vpc_id
egress {
from_port = 0
to_port = 0
protocol = "-1"
resource "aws_default_security_group" "default" {
vpc_id = aws_vpc.isolated_vpc.id
egress {
from_port = "443"
to_port = "443"
resource "aws_default_security_group" "positive1" {
vpc_id = aws_vpc.mainvpc.id
ingress {
protocol = -1
self = true
resource "aws_default_security_group" "default" {
vpc_id = aws_vpc.ok_vpc.id
}
resource "aws_default_security_group" "default_2" {
vpc_id = aws_vpc.not_ok_vpc_2.id
Parameters
-
arnoptional computed - string -
descriptionoptional computed - string -
egressoptional computed - set of object-
cidr_blocks- list of string -
description- string -
from_port- number -
ipv6_cidr_blocks- list of string -
prefix_list_ids- list of string -
protocol- string -
security_groups- set of string -
self- bool -
to_port- number
-
-
idoptional computed - string -
ingressoptional computed - set of object-
cidr_blocks- list of string -
description- string -
from_port- number -
ipv6_cidr_blocks- list of string -
prefix_list_ids- list of string -
protocol- string -
security_groups- set of string -
self- bool -
to_port- number
-
-
nameoptional computed - string -
owner_idoptional computed - string -
revoke_rules_on_deleteoptional - bool -
tagsoptional - map from string to string -
vpc_idoptional computed - string
Explanation in Terraform Registry
Provides a resource to manage a default security group. This resource can manage the default security group of the default or a non-default VPC.
NOTE: This is an advanced resource with special caveats. Please read this document in its entirety before using this resource. The
aws_default_security_groupresource behaves differently from normal resources. Terraform does not create this resource but instead attempts to "adopt" it into management. For EC2 Classic accounts, each region comes with a default security group. Additionally, each VPC created in AWS comes with a default security group that can be managed but not destroyed. When Terraform first adopts the default security group, it immediately removes all ingress and egress rules in the Security Group. It then creates any rules specified in the configuration. This way only the rules specified in the configuration are created. This resource treats its inline rules as absolute; only the rules defined inline are created, and any additions/removals external to this resource will result in diff shown. For these reasons, this resource is incompatible with theaws_security_group_ruleresource. For more information about default security groups, see the AWS documentation on [Default Security Groups][aws-default-security-groups]. To manage normal security groups, see theaws_security_groupresource.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::SecurityGroup (CloudFormation)
The SecurityGroup in EC2 can be configured in CloudFormation with the resource name AWS::EC2::SecurityGroup. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "some_group_desc"
VpcId:
Ref: VpcId
Tags:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group - Redis
GroupName: Security Group - Redis
SecurityGroupIngress:
- IpProtocol: tcp
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for Bastion instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: 'Spotify'
GroupDescription: for the app nodes that allow ssh, http and docker ports
VpcId : !ImportValue VPCMusicfeel
SecurityGroupIngress:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupIngress:
- ToPort: 3389
IpProtocol: tcp
CidrIp: 0.0.0.0/0
"resourceType": "AWS::EC2::SecurityGroup",
"resourceId": "sg-0d46b170",
"relationshipName": "Contains SecurityGroup"
},
{
"resourceType": "AWS::EC2::SecurityGroup",
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"Cloudformation Group",
"Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} } ]
}
},
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"VpcId" : { "Ref" : "VPC" },
"GroupDescription":"Cloudformation Group",
"Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} } ]
}
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"VpcId" : { "Ref" : "VPC" },
"GroupDescription":"Cloudformation Group",
"Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} } ]
}
Parameters
-
GroupDescriptionrequired - String -
GroupNameoptional - String -
SecurityGroupEgressoptional - List of Egress -
SecurityGroupIngressoptional - List of Ingress -
Tagsoptional - List of Tag -
VpcIdoptional - String
Explanation in CloudFormation Registry
Specifies a security group. To create a security group, use the VpcId property to specify the VPC for which to create the security group.
This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.
Important To cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the
AWS::EC2::SecurityGroup. Doing so creates a circular dependency, which AWS CloudFormation doesn't allow.
Frequently asked questions
What is AWS Amazon EC2 Security Group?
AWS Amazon EC2 Security Group is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 Security Group?
For Terraform, the chiehting/terraform, redhat-cop/ocp-disconnected-docs and Checkmarx/kics source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the stelligent/cfn-model, 99887710/Infrastructure-as-code and NuvOps/cfn-nested-wordpress source code examples are useful. See the CloudFormation Example section for further details.
