CfnSecurityGroupPropsMixin
- class aws_cdk.mixins_preview.aws_ec2.mixins.CfnSecurityGroupPropsMixin(props, *, strategy=None)
Bases:
MixinSpecifies a security group.
You must specify ingress rules to allow inbound traffic. By default, no inbound traffic is allowed.
When you create a security group, if you do not add egress rules, we add egress rules that allow all outbound IPv4 and IPv6 traffic. Otherwise, we do not add them. After the security group is created, if you remove all egress rules that you added, we do not add egress rules, so no outbound traffic is allowed.
If you modify a rule, CloudFormation removes the existing rule and then adds a new rule. There is a brief period when neither the original rule or the new rule exists, so the corresponding traffic is dropped.
This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates . .. epigraph:
To cross-reference two security groups in the ingress and egress rules of those security groups, use the `AWS::EC2::SecurityGroupEgress <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html>`_ and `AWS::EC2::SecurityGroupIngress <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-ingress.html>`_ resources to define your rules. Do not use the embedded ingress and egress rules in the ``AWS::EC2::SecurityGroup`` . Doing so creates a circular dependency, which CloudFormation doesn't allow.
- See:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroup.html
- CloudformationResource:
AWS::EC2::SecurityGroup
- Mixin:
true
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview import mixins from aws_cdk.mixins_preview.aws_ec2 import mixins as ec2_mixins cfn_security_group_props_mixin = ec2_mixins.CfnSecurityGroupPropsMixin(ec2_mixins.CfnSecurityGroupMixinProps( group_description="groupDescription", group_name="groupName", security_group_egress=[ec2_mixins.CfnSecurityGroupPropsMixin.EgressProperty( cidr_ip="cidrIp", cidr_ipv6="cidrIpv6", description="description", destination_prefix_list_id="destinationPrefixListId", destination_security_group_id="destinationSecurityGroupId", from_port=123, ip_protocol="ipProtocol", to_port=123 )], security_group_ingress=[ec2_mixins.CfnSecurityGroupPropsMixin.IngressProperty( cidr_ip="cidrIp", cidr_ipv6="cidrIpv6", description="description", from_port=123, ip_protocol="ipProtocol", source_prefix_list_id="sourcePrefixListId", source_security_group_id="sourceSecurityGroupId", source_security_group_name="sourceSecurityGroupName", source_security_group_owner_id="sourceSecurityGroupOwnerId", to_port=123 )], tags=[CfnTag( key="key", value="value" )], vpc_id="vpcId" ), strategy=mixins.PropertyMergeStrategy.OVERRIDE )
Create a mixin to apply properties to
AWS::EC2::SecurityGroup.- Parameters:
props (
Union[CfnSecurityGroupMixinProps,Dict[str,Any]]) – L1 properties to apply.strategy (
Optional[PropertyMergeStrategy]) – (experimental) Strategy for merging nested properties. Default: - PropertyMergeStrategy.MERGE
Methods
- apply_to(construct)
Apply the mixin properties to the construct.
- Parameters:
construct (
IConstruct)- Return type:
- supports(construct)
Check if this mixin supports the given construct.
- Parameters:
construct (
IConstruct)- Return type:
bool
Attributes
- CFN_PROPERTY_KEYS = ['groupDescription', 'groupName', 'securityGroupEgress', 'securityGroupIngress', 'tags', 'vpcId']
Static Methods
- classmethod is_mixin(x)
(experimental) Checks if
xis a Mixin.- Parameters:
x (
Any) – Any object.- Return type:
bool- Returns:
true if
xis an object created from a class which extendsMixin.- Stability:
experimental
EgressProperty
- class CfnSecurityGroupPropsMixin.EgressProperty(*, cidr_ip=None, cidr_ipv6=None, description=None, destination_prefix_list_id=None, destination_security_group_id=None, from_port=None, ip_protocol=None, to_port=None)
Bases:
objectAdds the specified outbound (egress) rule to a security group.
An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see Security group rules .
You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
- Parameters:
cidr_ip (
Optional[str]) – The IPv4 address range, in CIDR format. You must specify exactly one of the following:CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .cidr_ipv6 (
Optional[str]) –The IPv6 address range, in CIDR format. You must specify exactly one of the following:
CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .description (
Optional[str]) – A description for the security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*destination_prefix_list_id (
Optional[str]) – The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following:CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.destination_security_group_id (
Optional[str]) – The ID of the destination VPC security group. You must specify exactly one of the following:CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.from_port (
Union[int,float,None]) – If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).ip_protocol (
Optional[str]) – The IP protocol name (tcp,udp,icmp,icmpv6) or number (see Protocol Numbers ). Use-1to specify all protocols. When authorizing security group rules, specifying-1or a protocol number other thantcp,udp,icmp, oricmpv6allows traffic on all ports, regardless of any port range you specify. Fortcp,udp, andicmp, you must specify a port range. Foricmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.to_port (
Union[int,float,None]) – If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_ec2 import mixins as ec2_mixins egress_property = ec2_mixins.CfnSecurityGroupPropsMixin.EgressProperty( cidr_ip="cidrIp", cidr_ipv6="cidrIpv6", description="description", destination_prefix_list_id="destinationPrefixListId", destination_security_group_id="destinationSecurityGroupId", from_port=123, ip_protocol="ipProtocol", to_port=123 )
Attributes
- cidr_ip
The IPv4 address range, in CIDR format.
You must specify exactly one of the following:
CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .
- cidr_ipv6
The IPv6 address range, in CIDR format.
You must specify exactly one of the following:
CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .
- description
A description for the security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
- destination_prefix_list_id
The prefix list IDs for the destination AWS service.
This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
You must specify exactly one of the following:
CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.
- destination_security_group_id
The ID of the destination VPC security group.
You must specify exactly one of the following:
CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.
- from_port
If the protocol is TCP or UDP, this is the start of the port range.
If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
- ip_protocol
The IP protocol name (
tcp,udp,icmp,icmpv6) or number (see Protocol Numbers ).Use
-1to specify all protocols. When authorizing security group rules, specifying-1or a protocol number other thantcp,udp,icmp, oricmpv6allows traffic on all ports, regardless of any port range you specify. Fortcp,udp, andicmp, you must specify a port range. Foricmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
- to_port
If the protocol is TCP or UDP, this is the end of the port range.
If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
IngressProperty
- class CfnSecurityGroupPropsMixin.IngressProperty(*, cidr_ip=None, cidr_ipv6=None, description=None, from_port=None, ip_protocol=None, source_prefix_list_id=None, source_security_group_id=None, source_security_group_name=None, source_security_group_owner_id=None, to_port=None)
Bases:
objectAdds an inbound (ingress) rule to a security group.
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see Security group rules .
You must specify exactly one of the following sources: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
- Parameters:
cidr_ip (
Optional[str]) –The IPv4 address range, in CIDR format. You must specify exactly one of the following:
CidrIp,CidrIpv6,SourcePrefixListId, orSourceSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .cidr_ipv6 (
Optional[str]) –The IPv6 address range, in CIDR format. You must specify exactly one of the following:
CidrIp,CidrIpv6,SourcePrefixListId, orSourceSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .description (
Optional[str]) – Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*from_port (
Union[int,float,None]) – If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).ip_protocol (
Optional[str]) –The IP protocol name (
tcp,udp,icmp,icmpv6) or number (see Protocol Numbers ). Use-1to specify all protocols. When authorizing security group rules, specifying-1or a protocol number other thantcp,udp,icmp, oricmpv6allows traffic on all ports, regardless of any port range you specify. Fortcp,udp, andicmp, you must specify a port range. Foricmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.source_prefix_list_id (
Optional[str]) – The ID of a prefix list.source_security_group_id (
Optional[str]) – The ID of the security group.source_security_group_name (
Optional[str]) – [Default VPC] The name of the source security group. You must specify either the security group ID or the security group name. You can’t specify the group name in combination with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access. For security groups in a nondefault VPC, you must specify the group ID.source_security_group_owner_id (
Optional[str]) – [nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can’t specify this property with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access. If you specifySourceSecurityGroupNameorSourceSecurityGroupIdand that security group is owned by a different account than the account creating the stack, you must specify theSourceSecurityGroupOwnerId; otherwise, this property is optional.to_port (
Union[int,float,None]) – If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
- See:
- ExampleMetadata:
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. from aws_cdk.mixins_preview.aws_ec2 import mixins as ec2_mixins ingress_property = ec2_mixins.CfnSecurityGroupPropsMixin.IngressProperty( cidr_ip="cidrIp", cidr_ipv6="cidrIpv6", description="description", from_port=123, ip_protocol="ipProtocol", source_prefix_list_id="sourcePrefixListId", source_security_group_id="sourceSecurityGroupId", source_security_group_name="sourceSecurityGroupName", source_security_group_owner_id="sourceSecurityGroupOwnerId", to_port=123 )
Attributes
- cidr_ip
The IPv4 address range, in CIDR format.
You must specify exactly one of the following:
CidrIp,CidrIpv6,SourcePrefixListId, orSourceSecurityGroupId.For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .
- cidr_ipv6
The IPv6 address range, in CIDR format.
You must specify exactly one of the following:
CidrIp,CidrIpv6,SourcePrefixListId, orSourceSecurityGroupId.For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .
- description
Updates the description of an ingress (inbound) security group rule.
You can replace an existing description, or add a description to a rule that did not have one previously.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
- from_port
If the protocol is TCP or UDP, this is the start of the port range.
If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
- ip_protocol
The IP protocol name (
tcp,udp,icmp,icmpv6) or number (see Protocol Numbers ).Use
-1to specify all protocols. When authorizing security group rules, specifying-1or a protocol number other thantcp,udp,icmp, oricmpv6allows traffic on all ports, regardless of any port range you specify. Fortcp,udp, andicmp, you must specify a port range. Foricmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
- source_prefix_list_id
The ID of a prefix list.
- source_security_group_id
The ID of the security group.
- source_security_group_name
[Default VPC] The name of the source security group.
You must specify either the security group ID or the security group name. You can’t specify the group name in combination with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access.
For security groups in a nondefault VPC, you must specify the group ID.
- source_security_group_owner_id
[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account.
You can’t specify this property with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access.
If you specify
SourceSecurityGroupNameorSourceSecurityGroupIdand that security group is owned by a different account than the account creating the stack, you must specify theSourceSecurityGroupOwnerId; otherwise, this property is optional.
- to_port
If the protocol is TCP or UDP, this is the end of the port range.
If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).