SecurityGroup
Creates an Amazon EC2 security group within a VPC. Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances) If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic. All Constructs that require Security Groups will create one for you if you don't specify one at construction. After construction, you can selectively allow connections to and between constructs via--for example-- the `instance.connections` object. Think of it as "allowing connections to your instance", rather than "adding ingress rules a security group". See the [Allowing Connections](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cdk-lib.aws_ec2-readme.html#allowing-connections) section in the library documentation for examples. Direct manipulation of the Security Group through `addIngressRule` and `addEgressRule` is possible, but mutation through the `.connections` object is recommended. If you peer two constructs with security groups this way, appropriate rules will be created in both. If you have an existing security group you want to use in your CDK application, you would import it like this: ```ts const securityGroup = ec2.SecurityGroup.fromSecurityGroupId(this, 'SG', 'sg-12345', { mutable: false }); ```
Import
import { SecurityGroup } from 'aws-cdk-lib/aws-ec2';Or use the module namespace:
import * as ec2 from 'aws-cdk-lib/aws-ec2';
// ec2.SecurityGroupProperties
Configuration passed to the constructor as SecurityGroupProps.
vpcRequiredIVpcThe VPC in which to create the security group.
allowAllIpv6OutboundOptionalbooleanWhether to allow all outbound ipv6 traffic by default. If this is set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If this is set to false, no outbound traffic will be allowed by default and all egress ipv6 traffic must be explicitly authorized. To allow all ipv4 traffic use allowAllOutbound
Default: false
allowAllOutboundOptionalbooleanWhether to allow all outbound traffic by default. If this is set to true, there will only be a single egress rule which allows all outbound traffic. If this is set to false, no outbound traffic will be allowed by default and all egress traffic must be explicitly authorized. To allow all ipv6 traffic use allowAllIpv6Outbound
Default: true
descriptionOptionalstringA description of the security group.
Default: The default name will be the construct's CDK path.
disableInlineRulesOptionalbooleanWhether to disable inline ingress and egress rule optimization. If this is set to true, ingress and egress rules will not be declared under the SecurityGroup in cloudformation, but will be separate elements. Inlining rules is an optimization for producing smaller stack templates. Sometimes this is not desirable, for example when security group access is managed via tags. The default value can be overridden globally by setting the context variable '@aws-cdk/aws-ec2.securityGroupDisableInlineRules'.
Default: false
securityGroupNameOptionalstringThe name of the security group. For valid values, see the GroupName parameter of the CreateSecurityGroup action in the Amazon EC2 API Reference. It is not recommended to use an explicit group name.
Default: If you don't specify a GroupName, AWS CloudFormation generates a
unique physical ID and uses that ID for the group name.
Get the Amazon EC2 Cheat Sheet
Everything you need to know about Amazon EC2 on one page. HD quality, print-friendly.
Download Free InfographicQuick Facts
aws-ec2