Description

The Add Security Group Rule action can be used to add inbound rules to a security group. The rule can optionally be removed after a specified period of time.

Adding and removing security group rules can be an effective way to keep unwanted access from EC2 instances.

For example, a port can be opened for a company's IP address at 8am, and then the port can be closed at 5pm.

Settings

Please see Common Action Settings for a description of settings common to all action types.

Security Group

Indicate the id of your security group. This value usually looks like "sg-84a3dc7b". This security group must reside in the region specified.

Direction

Specifies the direction in which the port is opened. Supported options include:

  • Inbound
  • Outbound

Protocol

Indicates whether TCP, UDP, or ICMP traffic should be allowed.

From Port

Indicates the lower bound of the range of ports to open.

To Port

Indicates the upper bound of the range of ports to open. If only a single port is to be added, set "To Port" and "From Port" to the same value.

Source Type

Indicates the source type to be added to the rule.

  • CIDR
  • Security Group
  • Domain Name

Source CIDR

Indicates the source IP or IP range to allow access to the specified ports. See below for a more detailed explanation.

Source Security Group

Indicates the source security group to allow access. For EC2-Classic or Default-VPC, the security group name can be specified. Otherwise, for all other VPC security groups, the security group ID must be used (eg. sg-12345678).

Source Domain Name

Indicates the domain name to resolve when adding the rule.

Description

Optional. Adds a description to the new rule.

Register Multiple DNS Entries

If your domain name resolves to multiple IP values, use this field to indicate whether one or all resolved values should be registered with the security group. Possible values include:

  • Single only (random)
  • All

Revoke Old Rules

Indicates whether old rules should be removed before the new rule is added. Possible values include:

  • None
  • Remove all rules, same direction only
  • Remove all rules, both directions

Revoke the Rule

If the rule should be removed automatically, enable this option.

Running Duration

If the rule should be removed automatically, specify the amount of time the rule should remain added to the security group.

Format of Source CIDR

The Source CIDR must be a CIDR IP address/range. This is in the format aaa.bbb.ccc.ddd/ee.

To allow all IP addresses, use "0.0.0.0/0"
 To allow only 1 IP address, use something like "192.168.0.1/32"
 To allow all IP addresses from a network, use something like "192.168.0.0/24"

More information can be found here.

Amazon Commands Used

The following Amazon AWS commands are used. The access key should have permission to execute all of them.

  • ec2:DescribeSecurityGroups
  • ec2:AuthorizeSecurityGroupEgress
  • ec2:AuthorizeSecurityGroupIngress
  • ec2:RevokeSecurityGroupEgress
  • ec2:RevokeSecurityGroupIngress
Did this answer your question?