CloudWiki
Resource

Security Group

Amazon Web Services
Security
A security group serves as a virtual firewall that consists of set of rules to control inbound and outbound traffic to EC2 instances within a VPC.
Terraform Name
terraform
aws_security_group
Security Group
attributes:
  • description - (Optional, Forces new resource) Security group description. Defaults to Managed by Terraform. Cannot be "". NOTE: This field maps to the AWS GroupDescription attribute, for which there is no Update API. If you'd like to classify your security groups in a way that can be updated, use tags.
  • egress - (Optional, VPC only) Configuration block for egress rules. Can be specified multiple times for each egress rule. Each egress block supports fields documented below. This argument is processed in attribute-as-blocks mode.
  • ingress - (Optional) Configuration block for ingress rules. Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below. This argument is processed in attribute-as-blocks mode.
  • name_prefix - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name.
  • name - (Optional, Forces new resource) Name of the security group. If omitted, Terraform will assign a random, unique name.
  • revoke_rules_on_delete - (Optional) Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false.
  • tags - (Optional) Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • vpc_id - (Optional, Forces new resource) VPC ID. Defaults to the region's default VPC.

ingress

This argument is processed in attribute-as-blocks mode.

The following arguments are required:

  • from_port - (Required) Start port (or ICMP type number if protocol is icmp or icmpv6).
  • to_port - (Required) End range port (or ICMP code if protocol is icmp).
  • protocol - (Required) Protocol. If you select a protocol of -1 (semantically equivalent to all, which is not a valid value here), you must specify a from_port and to_port equal to 0. The supported values are defined in the IpProtocol argument on the IpPermission API reference. This argument is normalized to a lowercase value to match the AWS API requirement when using with Terraform 0.12.x and above, please make sure that the value of the protocol is specified as lowercase when using with older version of Terraform to avoid an issue during upgrade.

The following arguments are optional:

  • cidr_blocks - (Optional) List of CIDR blocks.
  • description - (Optional) Description of this ingress rule.
  • ipv6_cidr_blocks - (Optional) List of IPv6 CIDR blocks.
  • prefix_list_ids - (Optional) List of Prefix List IDs.
  • security_groups - (Optional) List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID.
  • self - (Optional) Whether the security group itself will be added as a source to this ingress rule.

egress

This argument is processed in attribute-as-blocks mode.

The following arguments are required:

  • from_port - (Required) Start port (or ICMP type number if protocol is icmp)
  • to_port - (Required) End range port (or ICMP code if protocol is icmp).

The following arguments are optional:

  • cidr_blocks - (Optional) List of CIDR blocks.
  • description - (Optional) Description of this egress rule.
  • ipv6_cidr_blocks - (Optional) List of IPv6 CIDR blocks.
  • prefix_list_ids - (Optional) List of Prefix List IDs.
  • protocol - (Required) Protocol. If you select a protocol of -1 (semantically equivalent to all, which is not a valid value here), you must specify a from_port and to_port equal to 0. The supported values are defined in the IpProtocol argument in the IpPermission API reference. This argument is normalized to a lowercase value to match the AWS API requirement when using Terraform 0.12.x and above. Please make sure that the value of the protocol is specified as lowercase when used with older version of Terraform to avoid issues during upgrade.
  • security_groups - (Optional) List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID.
  • self - (Optional) Whether the security group itself will be added as a source to this egress rule.

Associating resources with a
Security Group
Resources do not "belong" to a
Security Group
Rather, one or more Security Groups are associated to a resource.

Amazon EC2 instances

AWS Elastic Beanstalk

Amazon Elastic MapReduce

Amazon RDS (Relational Database Service)

Amazon Redshift

Amazon ElastiCache

Amazon CloudSearch

Amazon Managed Streaming for Apache Kafka (MSK)

Elastic Load Balancing

Lambda (running in a VPC mode)

ALB, NLB, ELB, GLB

VPC Endpoints

Create
Security Group
via Terraform:
The following HCL creates a security group that allows all ingress and egress traffic over all ports:

·      Security group with built-in rules as a single resource

·      Security group and security group rules as separate resources that are associated to each other

Syntax:

resource “aws_security_group” “test_security_group” {
 name = “test_security_group”
 vpc_id = aws_vpc.main.id
 ingress {
   from_port = 0
   to_port = 0
   protocol = “-1”
   cidr_blocks = [
     “0.0.0.0/0”]
 }
 egress {
   from_port = 0
   to_port = 0
   protocol = “-1”
   cidr_blocks = [
     “0.0.0.0/0”]
 }
 tags = {
   Name = “test_security_group”
 }
}

Create
Security Group
via CLI:
Parametres:

create-security-group
--description <value>
--group-name <value>
[--vpc-id <value>]
[--tag-specifications <value>]
[--dry-run | --no-dry-run]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-security-group —group-name MySecurityGroup —description “My security group”

aws ec2 authorize-security-group-ingress --group-id <sg_id> --protocol tcp --port 22 --cidr 10.0.0.0/8

aws cost
Costs
The cost of using Security Groups is included in the overall cost of using Amazon VPC and there is no additional cost for using security groups. The cost is based on the number of rules and the amount of network traffic processed by the security groups.
Direct Cost

--

Indirect Cost
No items found.
Best Practices for
Security Group

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services