AWS Amazon EC2 Rule
This page shows how to write Terraform and CloudFormation for Amazon EC2 Rule and write them securely.
aws_security_group_rule (Terraform)
The Rule in Amazon EC2 can be configured in Terraform with the resource name aws_security_group_rule
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
cidr_blocks
optional - list of string -
description
optional - string -
from_port
required - number -
id
optional computed - string -
ipv6_cidr_blocks
optional - list of string -
prefix_list_ids
optional - list of string -
protocol
required - string -
security_group_id
required - string -
self
optional - bool -
source_security_group_id
optional computed - string -
to_port
required - number -
type
required - string
Type of rule, ingress (inbound) or egress (outbound).
Explanation in Terraform Registry
Provides a security group rule resource. Represents a single
ingress
oregress
group rule, which can be added to external Security Groups.NOTE on Security Groups and Security Group Rules: Terraform currently provides both a standalone Security Group Rule resource (a single
ingress
oregress
rule), and a Security Group resource withingress
andegress
rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules. NOTE: Settingprotocol = "all"
orprotocol = -1
withfrom_port
andto_port
will result in the EC2 API creating a security group rule with all ports open. This API behavior cannot be controlled by Terraform and may generate warnings in the future. NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::SecurityGroup Egress (CloudFormation)
The SecurityGroup Egress in EC2 can be configured in CloudFormation with the resource name AWS::EC2::SecurityGroup Egress
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
CidrIp
The IPv4 address range, in CIDR format.
Required: No
Type: String
Update requires: No interruption
CidrIpv6
The IPv6 address range, in CIDR format.
Required: No
Type: String
Update requires: No interruption
Description
A description for the security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
Required: No
Type: String
Update requires: No interruption
DestinationPrefixListId
[EC2-VPC only] The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
Required: No
Type: String
Update requires: No interruption
DestinationSecurityGroupId
The ID of the destination VPC security group.
Required: No
Type: String
Update requires: No interruption
FromPort
The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1
indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.
Required: No
Type: Integer
Update requires: No interruption
IpProtocol
The IP protocol name (tcp
, udp
, icmp
, icmpv6
) or number (see Protocol Numbers).
[VPC only] Use -1
to specify all protocols. When authorizing security group rules, specifying -1
or a protocol number other than tcp
, udp
, icmp
, or icmpv6
allows traffic on all ports, regardless of any port range you specify. For tcp
, udp
, and icmp
, you must specify a port range. For icmpv6
, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
Required: Yes
Type: String
Update requires: No interruption
ToPort
The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1
indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.
Required: No
Type: Integer
Update requires: No interruption
Explanation in CloudFormation Registry
Specifies an outbound rule for a security group. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, or to the instances associated with the specified destination security groups.
You must specify only one of the following properties:
CidrIp
,CidrIpv6
,DestinationPrefixListId
, orDestinationSecurityGroupId
.The EC2 Security Group Rule is an embedded property of the
AWS::EC2::SecurityGroup
type.