The Add Security Group Rule action can be used to add inbound rules to a security group. The rule can optionally be removed after a specified period of time.
Adding and removing security group rules can be an effective way to keep unwanted access from EC2 instances.
For example, a port can be opened for a company's IP address at 8am, and then the port can be closed at 5pm.
Please see Common Action Settings for a description of settings common to all action types.
Indicate the id of your security group. This value usually looks like "sg-84a3dc7b". This security group must reside in the region specified.
Specifies the direction in which the port is opened. Supported options include:
Indicates whether TCP, UDP, or ICMP traffic should be allowed.
Indicates the lower bound of the range of ports to open.
Indicates the upper bound of the range of ports to open. If only a single port is to be added, set "To Port" and "From Port" to the same value.
Indicates the source type to be added to the rule.
- Security Group
- Domain Name
Indicates the source IP or IP range to allow access to the specified ports. See below for a more detailed explanation.
Source Security Group
Indicates the source security group to allow access. For EC2-Classic or Default-VPC, the security group name can be specified. Otherwise, for all other VPC security groups, the security group ID must be used (eg. sg-12345678).
Source Domain Name
Indicates the domain name to resolve when adding the rule.
Optional. Adds a description to the new rule.
Register Multiple DNS Entries
If your domain name resolves to multiple IP values, use this field to indicate whether one or all resolved values should be registered with the security group. Possible values include:
- Single only (random)
Revoke Old Rules
Indicates whether old rules should be removed before the new rule is added. Possible values include:
- Remove all rules, same direction only
- Remove all rules, both directions
Revoke the Rule
If the rule should be removed automatically, enable this option.
If the rule should be removed automatically, specify the amount of time the rule should remain added to the security group.
Format of Source CIDR
The Source CIDR must be a CIDR IP address/range. This is in the format aaa.bbb.ccc.ddd/ee.
To allow all IP addresses, use "0.0.0.0/0"
To allow only 1 IP address, use something like "192.168.0.1/32"
To allow all IP addresses from a network, use something like "192.168.0.0/24"
More information can be found here.
Amazon Commands Used
The following Amazon AWS commands are used. The access key should have permission to execute all of them.