Working with AWS VPC Security Groups via the AWS CLI

- networking aws

This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.

Show a security group

Describe a certain security group:

$ aws ec2 describe-security-groups --group-ids sg-903004f8

Output:

{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "UserIdGroupPairs": [],
                    "PrefixListIds": []
                }
            ],
            "Description": "My security group",
            "Tags": [
                {
                    "Value": "SG1",
                    "Key": "Name"
                 }
            ],
            "IpPermissions": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [],
                    "UserIdGroupPairs": [
                        {
                             "UserId": "123456789012",
                             "GroupId": "sg-903004f8"
                        }
                    ],
                    "PrefixListIds": []
                },
                {
                    "PrefixListIds": [],
                    "FromPort": 22,
                    "IpRanges": [
                        {
                            "CidrIp": "203.0.113.0/24"
                        }
                    ],
                    "ToPort": 22,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": []
                  }
            ],
            "GroupName": "MySecurityGroup",
            "VpcId": "vpc-1a2b3c4d",
            "OwnerId": "123456789012",
            "GroupId": "sg-903004f8",
        }
    ]
}

Describe a security group that allows SSH:

$ aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=22 Name=ip-permission.to-port,Values=22 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].{Name:GroupName}'

Output:

[
  {
     "Name": "default"
  },
  {
     "Name": "Test SG"
  },
  {
     "Name": "SSH-Access-Group"
  }
]

Create a security group

Omit the –vpc-id portion if creating an SG for EC2 classic without a VPC.

$ aws ec2 create-security-group --group-name MySecurityGroup --description "My security group" --vpc-id vpc-1a2b3c4d

Output:

{
    "GroupId": "sg-903004f8"
}

Create an ingress rule

Create rule to allow SSH inbound

$ aws ec2 authorize-security-group-ingress --group-id sg-903004f8 --protocol tcp --port 22 --cidr 203.0.113.0/24

Delete an ingress rule

$ aws ec2 revoke-security-group-ingress --group-id sg-123abc12 --protocol tcp --port 22 --cidr 203.0.113.0/24

Create an egress rule

This rule demonstrates granting access to another security group.

$ aws ec2 authorize-security-group-egress --group-id sg-1a2b3c4d --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "UserIdGroupPairs": [{"GroupId": "sg-4b51a32f"}]}]'

Remove an egress rule

$ aws ec2 revoke-security-group-egress --group-id sg-1a2b3c4d --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "UserIdGroupPairs": [{"GroupId": "sg-4b51a32f"}]}]'

Assign a Security Group to an EC2 instance

$ aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 ---groups sg-1a2b3c4d

–ip-permissions Syntax

As seen above in the egress rule creation, the –ip-permissions syntax is more involed than just creating a simple rule. This can use shorthand syntax, like:

IpProtocol=string,FromPort=integer,ToPort=integer,UserIdGroupPairs=[{UserId=string,GroupName=string,GroupId=string,VpcId=string,VpcPeeringConnectionId=string,PeeringStatus=string},{UserId=string,GroupName=string,GroupId=string,VpcId=string,VpcPeeringConnectionId=string,PeeringStatus=string}],IpRanges=[{CidrIp=string},{CidrIp=string}],Ipv6Ranges=[{CidrIpv6=string},{CidrIpv6=string}],PrefixListIds=[{PrefixListId=string},{PrefixListId=string}] ...

or JSON syntax:

[
  {
    "IpProtocol": "string",
    "FromPort": integer,
    "ToPort": integer,
    "UserIdGroupPairs": [
      {
        "UserId": "string",
        "GroupName": "string",
        "GroupId": "string",
        "VpcId": "string",
        "VpcPeeringConnectionId": "string",
        "PeeringStatus": "string"
      }
      ...
    ],
    "IpRanges": [
      {
        "CidrIp": "string"
      }
      ...
    ],
    "Ipv6Ranges": [
      {
        "CidrIpv6": "string"
      }
      ...
    ],
    "PrefixListIds": [
      {
        "PrefixListId": "string"
      }
      ...
    ]
  }
  ...
]

Delete a Security Group

$ aws ec2 delete-security-group --group-id sg-903004f8