AWS CloudFormation
User Guide (API Version 2010-05-15)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

EC2 安全组规则属性类型

EC2 安全组规则是 AWS::EC2::SecurityGroup 类型的嵌入式属性。

语法 SecurityGroupIngress

JSON

{ "CidrIp" : String, "CidrIpv6" : String, "FromPort" : Integer, "IpProtocol" : String, "SourceSecurityGroupId" : String, "SourceSecurityGroupName" : String, "SourceSecurityGroupOwnerId" : String, "ToPort" : Integer }

YAML

CidrIp: String FromPort: Integer IpProtocol: String SourceSecurityGroupId: String SourceSecurityGroupName: String SourceSecurityGroupOwnerId: String ToPort: Integer

语法 SecurityGroupEgress

JSON

{ "CidrIp" : String, "CidrIpv6" : String, "DestinationPrefixListId (SecurityGroupEgress only)" : String, "FromPort" : Integer, "IpProtocol" : String, "DestinationSecurityGroupId" : String, "ToPort" : Integer }

属性

CidrIp

指定 IPv4 CIDR 范围。

Required: Conditional。您只能指定下列属性之一:CidrIpCidrIpv6DestinationPrefixListIdDestinationSecurityGroupIdSourceSecurityGroupId

Type: String

CidrIpv6

指定 IPv6 CIDR 范围。

Required: Conditional。您只能指定下列属性之一:CidrIpCidrIpv6DestinationPrefixListIdDestinationSecurityGroupIdSourceSecurityGroupId

Type: String

DestinationPrefixListId (SecurityGroupEgress only)

Amazon VPC 终端节点的 AWS 服务前缀。有关更多信息,请参阅 Amazon VPC 用户指南 中的 VPC 终端节点

Required: Conditional。您只能指定下列属性之一:CidrIpCidrIpv6DestinationPrefixListIdDestinationSecurityGroupIdSourceSecurityGroupId

Type: String

DestinationSecurityGroupId (SecurityGroupEgress only)

指定目标 Amazon VPC 安全组的 GroupId。

Required: Conditional。您只能指定下列属性之一:CidrIpCidrIpv6DestinationPrefixListIdDestinationSecurityGroupIdSourceSecurityGroupId

Type: String

FromPort

TCP 和 UDP 协议端口范围的起始端口,或者某个 ICMP 类型编号。ICMP 类型编号为 -1 时表示通配符(例如,任何 ICMP 类型编号)。

Required: No

Type: Integer

IpProtocol

一个 IP 协议名称或编号。有关有效值,请转至 AuthorizeSecurityGroupIngress 中的 IpProtocol 参数

Required: Yes

Type: String

SourceSecurityGroupId (SecurityGroupIngress only)

仅限 VPC 安全组。指定允许访问的 Amazon EC2 安全组的 ID。您可以使用 Ref 内部函数来引用同一模板中定义的安全组的逻辑 ID。

Required: Conditional。您只能指定下列属性之一:CidrIpCidrIpv6DestinationPrefixListIdDestinationSecurityGroupIdSourceSecurityGroupId

Type: String

SourceSecurityGroupName (SecurityGroupIngress only)

仅限非 VPC 安全组。指定将用于访问的 Amazon EC2 安全组的名称。您可以使用 Ref 内部函数来引用同一模板中定义的安全组的逻辑名称。

Required: Conditional。如果指定 CidrIp,请不要指定 SourceSecurityGroupName

Type: String

SourceSecurityGroupOwnerId (SecurityGroupIngress only)

指明在 SourceSecurityGroupName 属性中指定的 Amazon EC2 安全组的所有者 AWS 账户 ID。

Required: Conditional。如果已指定 SourceSecurityGroupName,并且该安全组的所有者账户并非创建堆栈的账户,则必须指定 SourceSecurityGroupOwnerId;否则,可根据需要选择是否指定此属性。

Type: String

ToPort

TCP 和 UDP 协议端口范围的终止端口,或者某个 ICMP 代码。ICMP 代码 -1 表示通配符(例如,任何 ICMP 代码)。

Required: No

Type: Integer

示例

具有 CidrIp 的安全组

JSON

"InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Enable SSH access via port 22", "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0" } ] } }

YAML

InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Enable SSH access via port 22" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "0.0.0.0/0"

具有安全组 Id 的安全组

JSON

"InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Enable HTTP access on the configured port", "VpcId" : { "Ref" : "VpcId" }, "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : { "Ref" : "WebServerPort" }, "ToPort" : { "Ref" : "WebServerPort" }, "SourceSecurityGroupId" : { "Ref" : "LoadBalancerSecurityGroup" } } ] } }

YAML

InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Enable HTTP access on the configured port" VpcId: Ref: "VpcId" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: Ref: "WebServerPort" ToPort: Ref: "WebServerPort" SourceSecurityGroupId: Ref: "LoadBalancerSecurityGroup"

具有多个传入规则的安全组

该代码段可授予具有 CidrIp 的 SSH 访问权限,以及具有 SourceSecurityGroupName 的 HTTP 访问权限。Fn::GetAtt 用于从 Elastic Load Balancer 中推导 SourceSecurityGroupName SourceSecurityGroupOwnerId 的值。

JSON

"ElasticLoadBalancer" : { "Type" : "AWS::ElasticLoadBalancing::LoadBalancer", "Properties" : { "AvailabilityZones" : { "Fn::GetAZs" : "" }, "Listeners" : [ { "LoadBalancerPort" : "80", "InstancePort" : { "Ref" : "WebServerPort" }, "Protocol" : "HTTP" } ], "HealthCheck" : { "Target" : { "Fn::Join" : [ "", ["HTTP:", { "Ref" : "WebServerPort" }, "/"]]}, "HealthyThreshold" : "3", "UnhealthyThreshold" : "5", "Interval" : "30", "Timeout" : "5" } } }, "InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Enable SSH access and HTTP from the load balancer only", "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0" }, { "IpProtocol" : "tcp", "FromPort" : { "Ref" : "WebServerPort" }, "ToPort" : { "Ref" : "WebServerPort" }, "SourceSecurityGroupOwnerId" : {"Fn::GetAtt" : ["ElasticLoadBalancer", "SourceSecurityGroup.OwnerAlias"]}, "SourceSecurityGroupName" : {"Fn::GetAtt" : ["ElasticLoadBalancer", "SourceSecurityGroup.GroupName"]} } ] } }

YAML

ElasticLoadBalancer: Type: "AWS::ElasticLoadBalancing::LoadBalancer" Properties: AvailabilityZones: Fn::GetAZs: "" Listeners: - LoadBalancerPort: "80" InstancePort: Ref: "WebServerPort" Protocol: "HTTP" HealthCheck: Target: Fn::Join: - "" - - "HTTP:" - Ref: "WebServerPort" - "/" HealthyThreshold: "3" UnhealthyThreshold: "5" Interval: "30" Timeout: "5" InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Enable SSH access and HTTP from the load balancer only" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "0.0.0.0/0" - IpProtocol: "tcp" FromPort: Ref: "WebServerPort" ToPort: Ref: "WebServerPort" SourceSecurityGroupOwnerId: Fn::GetAtt: - "ElasticLoadBalancer" - "SourceSecurityGroup.OwnerAlias" SourceSecurityGroupName: Fn::GetAtt: - "ElasticLoadBalancer" - "SourceSecurityGroup.GroupName"

另请参阅