Security Group

A security group serves as a virtual firewall that consists of set of rules to control inbound and outbound traffic to EC2 instances within a VPC.

Terraform Name

aws_security_group

Security Group

attributes:

‍description - (Optional, Forces new resource) Security group description. Defaults to Managed by Terraform. Cannot be "". NOTE: This field maps to the AWS GroupDescription attribute, for which there is no Update API. If you'd like to classify your security groups in a way that can be updated, use tags.
egress - (Optional, VPC only) Configuration block for egress rules. Can be specified multiple times for each egress rule. Each egress block supports fields documented below. This argument is processed in attribute-as-blocks mode.
ingress - (Optional) Configuration block for ingress rules. Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below. This argument is processed in attribute-as-blocks mode.
name_prefix - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name.
name - (Optional, Forces new resource) Name of the security group. If omitted, Terraform will assign a random, unique name.
revoke_rules_on_delete - (Optional) Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false.
tags - (Optional) Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
vpc_id - (Optional, Forces new resource) VPC ID. Defaults to the region's default VPC.

ingress

This argument is processed in attribute-as-blocks mode.

The following arguments are required:

from_port - (Required) Start port (or ICMP type number if protocol is icmp or icmpv6).
to_port - (Required) End range port (or ICMP code if protocol is icmp).
protocol - (Required) Protocol. If you select a protocol of -1 (semantically equivalent to all, which is not a valid value here), you must specify a from_port and to_port equal to 0. The supported values are defined in the IpProtocol argument on the IpPermission API reference. This argument is normalized to a lowercase value to match the AWS API requirement when using with Terraform 0.12.x and above, please make sure that the value of the protocol is specified as lowercase when using with older version of Terraform to avoid an issue during upgrade.

The following arguments are optional:

cidr_blocks - (Optional) List of CIDR blocks.
description - (Optional) Description of this ingress rule.
ipv6_cidr_blocks - (Optional) List of IPv6 CIDR blocks.
prefix_list_ids - (Optional) List of Prefix List IDs.
security_groups - (Optional) List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID.
self - (Optional) Whether the security group itself will be added as a source to this ingress rule.

egress

This argument is processed in attribute-as-blocks mode.

The following arguments are required:

from_port - (Required) Start port (or ICMP type number if protocol is icmp)
to_port - (Required) End range port (or ICMP code if protocol is icmp).

The following arguments are optional:

cidr_blocks - (Optional) List of CIDR blocks.
description - (Optional) Description of this egress rule.
ipv6_cidr_blocks - (Optional) List of IPv6 CIDR blocks.
prefix_list_ids - (Optional) List of Prefix List IDs.
protocol - (Required) Protocol. If you select a protocol of -1 (semantically equivalent to all, which is not a valid value here), you must specify a from_port and to_port equal to 0. The supported values are defined in the IpProtocol argument in the IpPermission API reference. This argument is normalized to a lowercase value to match the AWS API requirement when using Terraform 0.12.x and above. Please make sure that the value of the protocol is specified as lowercase when used with older version of Terraform to avoid issues during upgrade.
security_groups - (Optional) List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID.
self - (Optional) Whether the security group itself will be added as a source to this egress rule.

‍

Associating resources with a

Security Group

Resources do not "belong" to a

Security Group

Rather, one or more Security Groups are associated to a resource.

Amazon EC2 instances

AWS Elastic Beanstalk

Amazon Elastic MapReduce

Amazon RDS (Relational Database Service)

Amazon Redshift

Amazon ElastiCache

Amazon CloudSearch

Amazon Managed Streaming for Apache Kafka (MSK)

Elastic Load Balancing

Lambda (running in a VPC mode)

ALB, NLB, ELB, GLB

VPC Endpoints

Create

Security Group

via Terraform:

The following HCL creates a security group that allows all ingress and egress traffic over all ports:

· Security group with built-in rules as a single resource

· Security group and security group rules as separate resources that are associated to each other

Syntax:

resource “aws_security_group” “test_security_group” {
name = “test_security_group”
vpc_id = aws_vpc.main.id
ingress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [
“0.0.0.0/0”]
}
egress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [
“0.0.0.0/0”]
}
tags = {
Name = “test_security_group”
}
}

‍

Create

Security Group

via CLI:

Parameters:

create-security-group
--description <value>
--group-name <value>
[--vpc-id <value>]
[--tag-specifications <value>]
[--dry-run | --no-dry-run]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-security-group —group-name MySecurityGroup —description “My security group”

aws ec2 authorize-security-group-ingress --group-id <sg_id> --protocol tcp --port 22 --cidr 10.0.0.0/8

‍

Costs

The cost of using Security Groups is included in the overall cost of using Amazon VPC and there is no additional cost for using security groups. The cost is based on the number of rules and the amount of network traffic processed by the security groups.

Direct Cost

Indirect Cost

No items found.

Best Practices for

Security Group

Categorized by Availability, Security & Compliance and Cost

Medium

AMI (Amazon Machine Images) not in use

AWS Cost Optimization