Amazon Elastic Compute Cloud

2024/10/30 - Amazon Elastic Compute Cloud - 3 new 7 updated api methods

Changes  This release adds two new capabilities to VPC Security Groups: Security Group VPC Associations and Shared Security Groups.

DescribeSecurityGroupVpcAssociations (new) Link ¶

Describes security group VPC associations made with AssociateSecurityGroupVpc.

See also: AWS API Documentation

Request Syntax

client.describe_security_group_vpc_associations(
    Filters=[
        {
            'Name': 'string',
            'Values': [
                'string',
            ]
        },
    ],
    NextToken='string',
    MaxResults=123,
    DryRun=True|False
)
type Filters

list

param Filters

Security group VPC association filters.

  • group-id : The security group ID.

  • vpc-id : The ID of the associated VPC.

  • vpc-owner-id : The account ID of the VPC owner.

  • state : The state of the association.

  • tag:<key> : The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA , specify tag:Owner for the filter name and TeamA for the filter value.

  • tag-key : The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.

  • (dict) --

    A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.

    If you specify multiple filters, the filters are joined with an AND , and the request returns only results that match all of the specified filters.

    • Name (string) --

      The name of the filter. Filter names are case-sensitive.

    • Values (list) --

      The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR , and the request returns all results that match any of the specified values.

      • (string) --

type NextToken

string

param NextToken

The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.

type MaxResults

integer

param MaxResults

The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'SecurityGroupVpcAssociations': [
        {
            'GroupId': 'string',
            'VpcId': 'string',
            'VpcOwnerId': 'string',
            'State': 'associating'|'associated'|'association-failed'|'disassociating'|'disassociated'|'disassociation-failed',
            'StateReason': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • SecurityGroupVpcAssociations (list) --

      The security group VPC associations.

      • (dict) --

        A security group association with a VPC that you made with AssociateSecurityGroupVpc.

        • GroupId (string) --

          The association's security group ID.

        • VpcId (string) --

          The association's VPC ID.

        • VpcOwnerId (string) --

          The Amazon Web Services account ID of the owner of the VPC.

        • State (string) --

          The association's state.

        • StateReason (string) --

          The association's state reason.

    • NextToken (string) --

      The token to include in another request to get the next page of items. This value is null when there are no more items to return.

DisassociateSecurityGroupVpc (new) Link ¶

Disassociates a security group from a VPC. You cannot disassociate the security group if any Elastic network interfaces in the associated VPC are still associated with the security group. Note that the disassociation is asynchronous and you can check the status of the request with DescribeSecurityGroupVpcAssociations.

See also: AWS API Documentation

Request Syntax

client.disassociate_security_group_vpc(
    GroupId='string',
    VpcId='string',
    DryRun=True|False
)
type GroupId

string

param GroupId

[REQUIRED]

A security group ID.

type VpcId

string

param VpcId

[REQUIRED]

A VPC ID.

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'State': 'associating'|'associated'|'association-failed'|'disassociating'|'disassociated'|'disassociation-failed'
}

Response Structure

  • (dict) --

    • State (string) --

      The state of the disassociation.

AssociateSecurityGroupVpc (new) Link ¶

Associates a security group with another VPC in the same Region. This enables you to use the same security group with network interfaces and instances in the specified VPC.

Note

  • The VPC you want to associate the security group with must be in the same Region.

  • You can associate the security group with another VPC if your account owns the VPC or if the VPC was shared with you.

  • You must own the security group and the VPC that it was created in.

  • You cannot use this feature with default security groups.

  • You cannot use this feature with the default VPC.

See also: AWS API Documentation

Request Syntax

client.associate_security_group_vpc(
    GroupId='string',
    VpcId='string',
    DryRun=True|False
)
type GroupId

string

param GroupId

[REQUIRED]

A security group ID.

type VpcId

string

param VpcId

[REQUIRED]

A VPC ID.

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'State': 'associating'|'associated'|'association-failed'|'disassociating'|'disassociated'|'disassociation-failed'
}

Response Structure

  • (dict) --

    • State (string) --

      The state of the association.

AuthorizeSecurityGroupEgress (updated) Link ¶
Changes (response)
{'SecurityGroupRules': {'SecurityGroupRuleArn': 'string'}}

Adds the specified outbound (egress) rules to a security group.

An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address ranges, the IP address ranges specified by a prefix list, or the instances that are associated with a source security group. For more information, see Security group rules.

You must specify exactly one of the following destinations: an IPv4 or IPv6 address range, a prefix list, or a security group. You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP type and code.

Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.

For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .

For information about security group quotas, see Amazon VPC quotas in the Amazon VPC User Guide .

See also: AWS API Documentation

Request Syntax

client.authorize_security_group_egress(
    TagSpecifications=[
        {
            'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'ipam-external-resource-verification-token',
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    DryRun=True|False,
    GroupId='string',
    SourceSecurityGroupName='string',
    SourceSecurityGroupOwnerId='string',
    IpProtocol='string',
    FromPort=123,
    ToPort=123,
    CidrIp='string',
    IpPermissions=[
        {
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'UserIdGroupPairs': [
                {
                    'Description': 'string',
                    'UserId': 'string',
                    'GroupName': 'string',
                    'GroupId': 'string',
                    'VpcId': 'string',
                    'VpcPeeringConnectionId': 'string',
                    'PeeringStatus': 'string'
                },
            ],
            'IpRanges': [
                {
                    'Description': 'string',
                    'CidrIp': 'string'
                },
            ],
            'Ipv6Ranges': [
                {
                    'Description': 'string',
                    'CidrIpv6': 'string'
                },
            ],
            'PrefixListIds': [
                {
                    'Description': 'string',
                    'PrefixListId': 'string'
                },
            ]
        },
    ]
)
type TagSpecifications

list

param TagSpecifications

The tags applied to the security group rule.

  • (dict) --

    The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.

    Note

    The Valid Values lists all the resource types that can be tagged. However, the action you're using might not support tagging all of these resource types. If you try to tag a resource type that is unsupported for the action you're using, you'll get an error.

    • ResourceType (string) --

      The type of resource to tag on creation.

    • Tags (list) --

      The tags to apply to the resource.

      • (dict) --

        Describes a tag.

        • Key (string) --

          The key of the tag.

          Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws: .

        • Value (string) --

          The value of the tag.

          Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

type GroupId

string

param GroupId

[REQUIRED]

The ID of the security group.

type SourceSecurityGroupName

string

param SourceSecurityGroupName

Not supported. Use IP permissions instead.

type SourceSecurityGroupOwnerId

string

param SourceSecurityGroupOwnerId

Not supported. Use IP permissions instead.

type IpProtocol

string

param IpProtocol

Not supported. Use IP permissions instead.

type FromPort

integer

param FromPort

Not supported. Use IP permissions instead.

type ToPort

integer

param ToPort

Not supported. Use IP permissions instead.

type CidrIp

string

param CidrIp

Not supported. Use IP permissions instead.

type IpPermissions

list

param IpPermissions

The permissions for the security group rules.

  • (dict) --

    Describes the permissions for a security group rule.

    • IpProtocol (string) --

      The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

      Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp , udp , icmp , or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp , udp , and icmp , you must specify a port range. For icmpv6 , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

    • FromPort (integer) --

      If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

    • ToPort (integer) --

      If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

    • UserIdGroupPairs (list) --

      The security group and Amazon Web Services account ID pairs.

      • (dict) --

        Describes a security group and Amazon Web Services account ID pair.

        • Description (string) --

          A description for the security group rule that references this user ID group pair.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

        • UserId (string) --

          The ID of an Amazon Web Services account.

          For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

        • GroupName (string) --

          [Default VPC] The name of the security group. For a security group in a nondefault VPC, use the security group ID.

          For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.

        • GroupId (string) --

          The ID of the security group.

        • VpcId (string) --

          The ID of the VPC for the referenced security group, if applicable.

        • VpcPeeringConnectionId (string) --

          The ID of the VPC peering connection, if applicable.

        • PeeringStatus (string) --

          The status of a VPC peering connection, if applicable.

    • IpRanges (list) --

      The IPv4 address ranges.

      • (dict) --

        Describes an IPv4 address range.

        • Description (string) --

          A description for the security group rule that references this IPv4 address range.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

        • CidrIp (string) --

          The IPv4 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.

    • Ipv6Ranges (list) --

      The IPv6 address ranges.

      • (dict) --

        Describes an IPv6 address range.

        • Description (string) --

          A description for the security group rule that references this IPv6 address range.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

        • CidrIpv6 (string) --

          The IPv6 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv6 address, use the /128 prefix length.

    • PrefixListIds (list) --

      The prefix list IDs.

      • (dict) --

        Describes a prefix list ID.

        • Description (string) --

          A description for the security group rule that references this prefix list ID.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

        • PrefixListId (string) --

          The ID of the prefix.

rtype

dict

returns

Response Syntax

{
    'Return': True|False,
    'SecurityGroupRules': [
        {
            'SecurityGroupRuleId': 'string',
            'GroupId': 'string',
            'GroupOwnerId': 'string',
            'IsEgress': True|False,
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'CidrIpv4': 'string',
            'CidrIpv6': 'string',
            'PrefixListId': 'string',
            'ReferencedGroupInfo': {
                'GroupId': 'string',
                'PeeringStatus': 'string',
                'UserId': 'string',
                'VpcId': 'string',
                'VpcPeeringConnectionId': 'string'
            },
            'Description': 'string',
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'SecurityGroupRuleArn': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • Return (boolean) --

      Returns true if the request succeeds; otherwise, returns an error.

    • SecurityGroupRules (list) --

      Information about the outbound (egress) security group rules that were added.

      • (dict) --

        Describes a security group rule.

        • SecurityGroupRuleId (string) --

          The ID of the security group rule.

        • GroupId (string) --

          The ID of the security group.

        • GroupOwnerId (string) --

          The ID of the Amazon Web Services account that owns the security group.

        • IsEgress (boolean) --

          Indicates whether the security group rule is an outbound rule.

        • IpProtocol (string) --

          The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

          Use -1 to specify all protocols.

        • FromPort (integer) --

          If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

        • ToPort (integer) --

          If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

        • CidrIpv4 (string) --

          The IPv4 CIDR range.

        • CidrIpv6 (string) --

          The IPv6 CIDR range.

        • PrefixListId (string) --

          The ID of the prefix list.

        • ReferencedGroupInfo (dict) --

          Describes the security group that is referenced in the rule.

          • GroupId (string) --

            The ID of the security group.

          • PeeringStatus (string) --

            The status of a VPC peering connection, if applicable.

          • UserId (string) --

            The Amazon Web Services account ID.

          • VpcId (string) --

            The ID of the VPC.

          • VpcPeeringConnectionId (string) --

            The ID of the VPC peering connection (if applicable).

        • Description (string) --

          The security group rule description.

        • Tags (list) --

          The tags applied to the security group rule.

          • (dict) --

            Describes a tag.

            • Key (string) --

              The key of the tag.

              Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws: .

            • Value (string) --

              The value of the tag.

              Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.

        • SecurityGroupRuleArn (string) --

          The ARN of the security group rule.

AuthorizeSecurityGroupIngress (updated) Link ¶
Changes (response)
{'SecurityGroupRules': {'SecurityGroupRuleArn': 'string'}}

Adds the specified inbound (ingress) rules to a security group.

An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see Security group rules.

You must specify exactly one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.

Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.

For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .

For more information about security group quotas, see Amazon VPC quotas in the Amazon VPC User Guide .

See also: AWS API Documentation

Request Syntax

client.authorize_security_group_ingress(
    CidrIp='string',
    FromPort=123,
    GroupId='string',
    GroupName='string',
    IpPermissions=[
        {
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'UserIdGroupPairs': [
                {
                    'Description': 'string',
                    'UserId': 'string',
                    'GroupName': 'string',
                    'GroupId': 'string',
                    'VpcId': 'string',
                    'VpcPeeringConnectionId': 'string',
                    'PeeringStatus': 'string'
                },
            ],
            'IpRanges': [
                {
                    'Description': 'string',
                    'CidrIp': 'string'
                },
            ],
            'Ipv6Ranges': [
                {
                    'Description': 'string',
                    'CidrIpv6': 'string'
                },
            ],
            'PrefixListIds': [
                {
                    'Description': 'string',
                    'PrefixListId': 'string'
                },
            ]
        },
    ],
    IpProtocol='string',
    SourceSecurityGroupName='string',
    SourceSecurityGroupOwnerId='string',
    ToPort=123,
    TagSpecifications=[
        {
            'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'ipam-external-resource-verification-token',
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    DryRun=True|False
)
type CidrIp

string

param CidrIp

The IPv4 address range, in CIDR format.

To specify an IPv6 address range, use IP permissions instead.

To specify multiple rules and descriptions for the rules, use IP permissions instead.

type FromPort

integer

param FromPort

If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP, this is the ICMP type or -1 (all ICMP types).

To specify multiple rules and descriptions for the rules, use IP permissions instead.

type GroupId

string

param GroupId

The ID of the security group.

type GroupName

string

param GroupName

[Default VPC] The name of the security group. For security groups for a default VPC you can specify either the ID or the name of the security group. For security groups for a nondefault VPC, you must specify the ID of the security group.

type IpPermissions

list

param IpPermissions

The permissions for the security group rules.

  • (dict) --

    Describes the permissions for a security group rule.

    • IpProtocol (string) --

      The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

      Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp , udp , icmp , or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp , udp , and icmp , you must specify a port range. For icmpv6 , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

    • FromPort (integer) --

      If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

    • ToPort (integer) --

      If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

    • UserIdGroupPairs (list) --

      The security group and Amazon Web Services account ID pairs.

      • (dict) --

        Describes a security group and Amazon Web Services account ID pair.

        • Description (string) --

          A description for the security group rule that references this user ID group pair.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

        • UserId (string) --

          The ID of an Amazon Web Services account.

          For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

        • GroupName (string) --

          [Default VPC] The name of the security group. For a security group in a nondefault VPC, use the security group ID.

          For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.

        • GroupId (string) --

          The ID of the security group.

        • VpcId (string) --

          The ID of the VPC for the referenced security group, if applicable.

        • VpcPeeringConnectionId (string) --

          The ID of the VPC peering connection, if applicable.

        • PeeringStatus (string) --

          The status of a VPC peering connection, if applicable.

    • IpRanges (list) --

      The IPv4 address ranges.

      • (dict) --

        Describes an IPv4 address range.

        • Description (string) --

          A description for the security group rule that references this IPv4 address range.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

        • CidrIp (string) --

          The IPv4 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.

    • Ipv6Ranges (list) --

      The IPv6 address ranges.

      • (dict) --

        Describes an IPv6 address range.

        • Description (string) --

          A description for the security group rule that references this IPv6 address range.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

        • CidrIpv6 (string) --

          The IPv6 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv6 address, use the /128 prefix length.

    • PrefixListIds (list) --

      The prefix list IDs.

      • (dict) --

        Describes a prefix list ID.

        • Description (string) --

          A description for the security group rule that references this prefix list ID.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

        • PrefixListId (string) --

          The ID of the prefix.

type IpProtocol

string

param IpProtocol

The IP protocol name ( tcp , udp , icmp ) or number (see Protocol Numbers ). To specify all protocols, use -1 .

To specify icmpv6 , use IP permissions instead.

If you specify a protocol other than one of the supported values, traffic is allowed on all ports, regardless of any ports that you specify.

To specify multiple rules and descriptions for the rules, use IP permissions instead.

type SourceSecurityGroupName

string

param SourceSecurityGroupName

[Default VPC] The name of the source security group.

The rule grants full ICMP, UDP, and TCP access. To create a rule with a specific protocol and port range, specify a set of IP permissions instead.

type SourceSecurityGroupOwnerId

string

param SourceSecurityGroupOwnerId

The Amazon Web Services account ID for the source security group, if the source security group is in a different account.

The rule grants full ICMP, UDP, and TCP access. To create a rule with a specific protocol and port range, use IP permissions instead.

type ToPort

integer

param ToPort

If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

To specify multiple rules and descriptions for the rules, use IP permissions instead.

type TagSpecifications

list

param TagSpecifications

The tags applied to the security group rule.

  • (dict) --

    The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.

    Note

    The Valid Values lists all the resource types that can be tagged. However, the action you're using might not support tagging all of these resource types. If you try to tag a resource type that is unsupported for the action you're using, you'll get an error.

    • ResourceType (string) --

      The type of resource to tag on creation.

    • Tags (list) --

      The tags to apply to the resource.

      • (dict) --

        Describes a tag.

        • Key (string) --

          The key of the tag.

          Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws: .

        • Value (string) --

          The value of the tag.

          Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'Return': True|False,
    'SecurityGroupRules': [
        {
            'SecurityGroupRuleId': 'string',
            'GroupId': 'string',
            'GroupOwnerId': 'string',
            'IsEgress': True|False,
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'CidrIpv4': 'string',
            'CidrIpv6': 'string',
            'PrefixListId': 'string',
            'ReferencedGroupInfo': {
                'GroupId': 'string',
                'PeeringStatus': 'string',
                'UserId': 'string',
                'VpcId': 'string',
                'VpcPeeringConnectionId': 'string'
            },
            'Description': 'string',
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'SecurityGroupRuleArn': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • Return (boolean) --

      Returns true if the request succeeds; otherwise, returns an error.

    • SecurityGroupRules (list) --

      Information about the inbound (ingress) security group rules that were added.

      • (dict) --

        Describes a security group rule.

        • SecurityGroupRuleId (string) --

          The ID of the security group rule.

        • GroupId (string) --

          The ID of the security group.

        • GroupOwnerId (string) --

          The ID of the Amazon Web Services account that owns the security group.

        • IsEgress (boolean) --

          Indicates whether the security group rule is an outbound rule.

        • IpProtocol (string) --

          The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

          Use -1 to specify all protocols.

        • FromPort (integer) --

          If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

        • ToPort (integer) --

          If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

        • CidrIpv4 (string) --

          The IPv4 CIDR range.

        • CidrIpv6 (string) --

          The IPv6 CIDR range.

        • PrefixListId (string) --

          The ID of the prefix list.

        • ReferencedGroupInfo (dict) --

          Describes the security group that is referenced in the rule.

          • GroupId (string) --

            The ID of the security group.

          • PeeringStatus (string) --

            The status of a VPC peering connection, if applicable.

          • UserId (string) --

            The Amazon Web Services account ID.

          • VpcId (string) --

            The ID of the VPC.

          • VpcPeeringConnectionId (string) --

            The ID of the VPC peering connection (if applicable).

        • Description (string) --

          The security group rule description.

        • Tags (list) --

          The tags applied to the security group rule.

          • (dict) --

            Describes a tag.

            • Key (string) --

              The key of the tag.

              Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws: .

            • Value (string) --

              The value of the tag.

              Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.

        • SecurityGroupRuleArn (string) --

          The ARN of the security group rule.

CreateSecurityGroup (updated) Link ¶
Changes (response)
{'SecurityGroupArn': 'string'}

Creates a security group.

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. For more information, see Amazon EC2 security groups in the Amazon Elastic Compute Cloud User Guide and Security groups for your VPC in the Amazon Virtual Private Cloud User Guide .

When you create a security group, you specify a friendly name of your choice. You can't have two security groups for the same VPC with the same name.

You have a default security group for use in your VPC. If you don't specify a security group when you launch an instance, the instance is launched into the appropriate default security group. A default security group includes a default rule that grants instances unrestricted network access to each other.

You can add or remove rules from your security groups using AuthorizeSecurityGroupIngress, AuthorizeSecurityGroupEgress, RevokeSecurityGroupIngress, and RevokeSecurityGroupEgress.

For more information about VPC security group limits, see Amazon VPC Limits.

See also: AWS API Documentation

Request Syntax

client.create_security_group(
    Description='string',
    GroupName='string',
    VpcId='string',
    TagSpecifications=[
        {
            'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'ipam-external-resource-verification-token',
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    DryRun=True|False
)
type Description

string

param Description

[REQUIRED]

A description for the security group.

Constraints: Up to 255 characters in length

Valid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

type GroupName

string

param GroupName

[REQUIRED]

The name of the security group.

Constraints: Up to 255 characters in length. Cannot start with sg- .

Valid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

type VpcId

string

param VpcId

The ID of the VPC. Required for a nondefault VPC.

type TagSpecifications

list

param TagSpecifications

The tags to assign to the security group.

  • (dict) --

    The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.

    Note

    The Valid Values lists all the resource types that can be tagged. However, the action you're using might not support tagging all of these resource types. If you try to tag a resource type that is unsupported for the action you're using, you'll get an error.

    • ResourceType (string) --

      The type of resource to tag on creation.

    • Tags (list) --

      The tags to apply to the resource.

      • (dict) --

        Describes a tag.

        • Key (string) --

          The key of the tag.

          Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws: .

        • Value (string) --

          The value of the tag.

          Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'GroupId': 'string',
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'SecurityGroupArn': 'string'
}

Response Structure

  • (dict) --

    • GroupId (string) --

      The ID of the security group.

    • Tags (list) --

      The tags assigned to the security group.

      • (dict) --

        Describes a tag.

        • Key (string) --

          The key of the tag.

          Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws: .

        • Value (string) --

          The value of the tag.

          Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.

    • SecurityGroupArn (string) --

      The security group ARN.

DescribeSecurityGroupRules (updated) Link ¶
Changes (response)
{'SecurityGroupRules': {'SecurityGroupRuleArn': 'string'}}

Describes one or more of your security group rules.

See also: AWS API Documentation

Request Syntax

client.describe_security_group_rules(
    Filters=[
        {
            'Name': 'string',
            'Values': [
                'string',
            ]
        },
    ],
    SecurityGroupRuleIds=[
        'string',
    ],
    DryRun=True|False,
    NextToken='string',
    MaxResults=123
)
type Filters

list

param Filters

One or more filters.

  • group-id - The ID of the security group.

  • security-group-rule-id - The ID of the security group rule.

  • tag :<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA , specify tag:Owner for the filter name and TeamA for the filter value.

  • (dict) --

    A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.

    If you specify multiple filters, the filters are joined with an AND , and the request returns only results that match all of the specified filters.

    • Name (string) --

      The name of the filter. Filter names are case-sensitive.

    • Values (list) --

      The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR , and the request returns all results that match any of the specified values.

      • (string) --

type SecurityGroupRuleIds

list

param SecurityGroupRuleIds

The IDs of the security group rules.

  • (string) --

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

type NextToken

string

param NextToken

The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.

type MaxResults

integer

param MaxResults

The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. This value can be between 5 and 1000. If this parameter is not specified, then all items are returned. For more information, see Pagination.

rtype

dict

returns

Response Syntax

{
    'SecurityGroupRules': [
        {
            'SecurityGroupRuleId': 'string',
            'GroupId': 'string',
            'GroupOwnerId': 'string',
            'IsEgress': True|False,
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'CidrIpv4': 'string',
            'CidrIpv6': 'string',
            'PrefixListId': 'string',
            'ReferencedGroupInfo': {
                'GroupId': 'string',
                'PeeringStatus': 'string',
                'UserId': 'string',
                'VpcId': 'string',
                'VpcPeeringConnectionId': 'string'
            },
            'Description': 'string',
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'SecurityGroupRuleArn': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • SecurityGroupRules (list) --

      Information about security group rules.

      • (dict) --

        Describes a security group rule.

        • SecurityGroupRuleId (string) --

          The ID of the security group rule.

        • GroupId (string) --

          The ID of the security group.

        • GroupOwnerId (string) --

          The ID of the Amazon Web Services account that owns the security group.

        • IsEgress (boolean) --

          Indicates whether the security group rule is an outbound rule.

        • IpProtocol (string) --

          The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

          Use -1 to specify all protocols.

        • FromPort (integer) --

          If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

        • ToPort (integer) --

          If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

        • CidrIpv4 (string) --

          The IPv4 CIDR range.

        • CidrIpv6 (string) --

          The IPv6 CIDR range.

        • PrefixListId (string) --

          The ID of the prefix list.

        • ReferencedGroupInfo (dict) --

          Describes the security group that is referenced in the rule.

          • GroupId (string) --

            The ID of the security group.

          • PeeringStatus (string) --

            The status of a VPC peering connection, if applicable.

          • UserId (string) --

            The Amazon Web Services account ID.

          • VpcId (string) --

            The ID of the VPC.

          • VpcPeeringConnectionId (string) --

            The ID of the VPC peering connection (if applicable).

        • Description (string) --

          The security group rule description.

        • Tags (list) --

          The tags applied to the security group rule.

          • (dict) --

            Describes a tag.

            • Key (string) --

              The key of the tag.

              Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws: .

            • Value (string) --

              The value of the tag.

              Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.

        • SecurityGroupRuleArn (string) --

          The ARN of the security group rule.

    • NextToken (string) --

      The token to include in another request to get the next page of items. This value is null when there are no more items to return.

DescribeSecurityGroups (updated) Link ¶
Changes (response)
{'SecurityGroups': {'SecurityGroupArn': 'string'}}

Describes the specified security groups or all of your security groups.

See also: AWS API Documentation

Request Syntax

client.describe_security_groups(
    GroupIds=[
        'string',
    ],
    GroupNames=[
        'string',
    ],
    NextToken='string',
    MaxResults=123,
    DryRun=True|False,
    Filters=[
        {
            'Name': 'string',
            'Values': [
                'string',
            ]
        },
    ]
)
type GroupIds

list

param GroupIds

The IDs of the security groups. Required for security groups in a nondefault VPC.

Default: Describes all of your security groups.

  • (string) --

type GroupNames

list

param GroupNames

[Default VPC] The names of the security groups. You can specify either the security group name or the security group ID.

Default: Describes all of your security groups.

  • (string) --

type NextToken

string

param NextToken

The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.

type MaxResults

integer

param MaxResults

The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. This value can be between 5 and 1000. If this parameter is not specified, then all items are returned. For more information, see Pagination.

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

type Filters

list

param Filters

The filters. If using multiple filters for rules, the results include security groups for which any combination of rules - not necessarily a single rule - match all filters.

  • description - The description of the security group.

  • egress.ip-permission.cidr - An IPv4 CIDR block for an outbound security group rule.

  • egress.ip-permission.from-port - For an outbound rule, the start of port range for the TCP and UDP protocols, or an ICMP type number.

  • egress.ip-permission.group-id - The ID of a security group that has been referenced in an outbound security group rule.

  • egress.ip-permission.group-name - The name of a security group that is referenced in an outbound security group rule.

  • egress.ip-permission.ipv6-cidr - An IPv6 CIDR block for an outbound security group rule.

  • egress.ip-permission.prefix-list-id - The ID of a prefix list to which a security group rule allows outbound access.

  • egress.ip-permission.protocol - The IP protocol for an outbound security group rule ( tcp | udp | icmp , a protocol number, or -1 for all protocols).

  • egress.ip-permission.to-port - For an outbound rule, the end of port range for the TCP and UDP protocols, or an ICMP code.

  • egress.ip-permission.user-id - The ID of an Amazon Web Services account that has been referenced in an outbound security group rule.

  • group-id - The ID of the security group.

  • group-name - The name of the security group.

  • ip-permission.cidr - An IPv4 CIDR block for an inbound security group rule.

  • ip-permission.from-port - For an inbound rule, the start of port range for the TCP and UDP protocols, or an ICMP type number.

  • ip-permission.group-id - The ID of a security group that has been referenced in an inbound security group rule.

  • ip-permission.group-name - The name of a security group that is referenced in an inbound security group rule.

  • ip-permission.ipv6-cidr - An IPv6 CIDR block for an inbound security group rule.

  • ip-permission.prefix-list-id - The ID of a prefix list from which a security group rule allows inbound access.

  • ip-permission.protocol - The IP protocol for an inbound security group rule ( tcp | udp | icmp , a protocol number, or -1 for all protocols).

  • ip-permission.to-port - For an inbound rule, the end of port range for the TCP and UDP protocols, or an ICMP code.

  • ip-permission.user-id - The ID of an Amazon Web Services account that has been referenced in an inbound security group rule.

  • owner-id - The Amazon Web Services account ID of the owner of the security group.

  • tag :<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA , specify tag:Owner for the filter name and TeamA for the filter value.

  • tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.

  • vpc-id - The ID of the VPC specified when the security group was created.

  • (dict) --

    A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.

    If you specify multiple filters, the filters are joined with an AND , and the request returns only results that match all of the specified filters.

    • Name (string) --

      The name of the filter. Filter names are case-sensitive.

    • Values (list) --

      The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR , and the request returns all results that match any of the specified values.

      • (string) --

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'SecurityGroups': [
        {
            'GroupId': 'string',
            'IpPermissionsEgress': [
                {
                    'IpProtocol': 'string',
                    'FromPort': 123,
                    'ToPort': 123,
                    'UserIdGroupPairs': [
                        {
                            'Description': 'string',
                            'UserId': 'string',
                            'GroupName': 'string',
                            'GroupId': 'string',
                            'VpcId': 'string',
                            'VpcPeeringConnectionId': 'string',
                            'PeeringStatus': 'string'
                        },
                    ],
                    'IpRanges': [
                        {
                            'Description': 'string',
                            'CidrIp': 'string'
                        },
                    ],
                    'Ipv6Ranges': [
                        {
                            'Description': 'string',
                            'CidrIpv6': 'string'
                        },
                    ],
                    'PrefixListIds': [
                        {
                            'Description': 'string',
                            'PrefixListId': 'string'
                        },
                    ]
                },
            ],
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'VpcId': 'string',
            'SecurityGroupArn': 'string',
            'OwnerId': 'string',
            'GroupName': 'string',
            'Description': 'string',
            'IpPermissions': [
                {
                    'IpProtocol': 'string',
                    'FromPort': 123,
                    'ToPort': 123,
                    'UserIdGroupPairs': [
                        {
                            'Description': 'string',
                            'UserId': 'string',
                            'GroupName': 'string',
                            'GroupId': 'string',
                            'VpcId': 'string',
                            'VpcPeeringConnectionId': 'string',
                            'PeeringStatus': 'string'
                        },
                    ],
                    'IpRanges': [
                        {
                            'Description': 'string',
                            'CidrIp': 'string'
                        },
                    ],
                    'Ipv6Ranges': [
                        {
                            'Description': 'string',
                            'CidrIpv6': 'string'
                        },
                    ],
                    'PrefixListIds': [
                        {
                            'Description': 'string',
                            'PrefixListId': 'string'
                        },
                    ]
                },
            ]
        },
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      The token to include in another request to get the next page of items. This value is null when there are no more items to return.

    • SecurityGroups (list) --

      Information about the security groups.

      • (dict) --

        Describes a security group.

        • GroupId (string) --

          The ID of the security group.

        • IpPermissionsEgress (list) --

          The outbound rules associated with the security group.

          • (dict) --

            Describes the permissions for a security group rule.

            • IpProtocol (string) --

              The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

              Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp , udp , icmp , or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp , udp , and icmp , you must specify a port range. For icmpv6 , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

            • FromPort (integer) --

              If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

            • ToPort (integer) --

              If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

            • UserIdGroupPairs (list) --

              The security group and Amazon Web Services account ID pairs.

              • (dict) --

                Describes a security group and Amazon Web Services account ID pair.

                • Description (string) --

                  A description for the security group rule that references this user ID group pair.

                  Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

                • UserId (string) --

                  The ID of an Amazon Web Services account.

                  For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

                • GroupName (string) --

                  [Default VPC] The name of the security group. For a security group in a nondefault VPC, use the security group ID.

                  For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.

                • GroupId (string) --

                  The ID of the security group.

                • VpcId (string) --

                  The ID of the VPC for the referenced security group, if applicable.

                • VpcPeeringConnectionId (string) --

                  The ID of the VPC peering connection, if applicable.

                • PeeringStatus (string) --

                  The status of a VPC peering connection, if applicable.

            • IpRanges (list) --

              The IPv4 address ranges.

              • (dict) --

                Describes an IPv4 address range.

                • Description (string) --

                  A description for the security group rule that references this IPv4 address range.

                  Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

                • CidrIp (string) --

                  The IPv4 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.

            • Ipv6Ranges (list) --

              The IPv6 address ranges.

              • (dict) --

                Describes an IPv6 address range.

                • Description (string) --

                  A description for the security group rule that references this IPv6 address range.

                  Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

                • CidrIpv6 (string) --

                  The IPv6 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv6 address, use the /128 prefix length.

            • PrefixListIds (list) --

              The prefix list IDs.

              • (dict) --

                Describes a prefix list ID.

                • Description (string) --

                  A description for the security group rule that references this prefix list ID.

                  Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

                • PrefixListId (string) --

                  The ID of the prefix.

        • Tags (list) --

          Any tags assigned to the security group.

          • (dict) --

            Describes a tag.

            • Key (string) --

              The key of the tag.

              Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws: .

            • Value (string) --

              The value of the tag.

              Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.

        • VpcId (string) --

          The ID of the VPC for the security group.

        • SecurityGroupArn (string) --

          The ARN of the security group.

        • OwnerId (string) --

          The Amazon Web Services account ID of the owner of the security group.

        • GroupName (string) --

          The name of the security group.

        • Description (string) --

          A description of the security group.

        • IpPermissions (list) --

          The inbound rules associated with the security group.

          • (dict) --

            Describes the permissions for a security group rule.

            • IpProtocol (string) --

              The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

              Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp , udp , icmp , or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp , udp , and icmp , you must specify a port range. For icmpv6 , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

            • FromPort (integer) --

              If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

            • ToPort (integer) --

              If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

            • UserIdGroupPairs (list) --

              The security group and Amazon Web Services account ID pairs.

              • (dict) --

                Describes a security group and Amazon Web Services account ID pair.

                • Description (string) --

                  A description for the security group rule that references this user ID group pair.

                  Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

                • UserId (string) --

                  The ID of an Amazon Web Services account.

                  For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

                • GroupName (string) --

                  [Default VPC] The name of the security group. For a security group in a nondefault VPC, use the security group ID.

                  For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.

                • GroupId (string) --

                  The ID of the security group.

                • VpcId (string) --

                  The ID of the VPC for the referenced security group, if applicable.

                • VpcPeeringConnectionId (string) --

                  The ID of the VPC peering connection, if applicable.

                • PeeringStatus (string) --

                  The status of a VPC peering connection, if applicable.

            • IpRanges (list) --

              The IPv4 address ranges.

              • (dict) --

                Describes an IPv4 address range.

                • Description (string) --

                  A description for the security group rule that references this IPv4 address range.

                  Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

                • CidrIp (string) --

                  The IPv4 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.

            • Ipv6Ranges (list) --

              The IPv6 address ranges.

              • (dict) --

                Describes an IPv6 address range.

                • Description (string) --

                  A description for the security group rule that references this IPv6 address range.

                  Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

                • CidrIpv6 (string) --

                  The IPv6 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv6 address, use the /128 prefix length.

            • PrefixListIds (list) --

              The prefix list IDs.

              • (dict) --

                Describes a prefix list ID.

                • Description (string) --

                  A description for the security group rule that references this prefix list ID.

                  Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

                • PrefixListId (string) --

                  The ID of the prefix.

RevokeSecurityGroupEgress (updated) Link ¶
Changes (response)
{'RevokedSecurityGroupRules': [{'CidrIpv4': 'string',
                                'CidrIpv6': 'string',
                                'Description': 'string',
                                'FromPort': 'integer',
                                'GroupId': 'string',
                                'IpProtocol': 'string',
                                'IsEgress': 'boolean',
                                'PrefixListId': 'string',
                                'ReferencedGroupId': 'string',
                                'SecurityGroupRuleId': 'string',
                                'ToPort': 'integer'}]}

Removes the specified outbound (egress) rules from the specified security group.

You can specify rules using either rule IDs or security group rule properties. If you use rule properties, the values that you specify (for example, ports) must match the existing rule's values exactly. Each rule has a protocol, from and to ports, and destination (CIDR range, security group, or prefix list). For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not need to specify the description to revoke the rule.

For a default VPC, if the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.

Amazon Web Services recommends that you describe the security group to verify that the rules were removed.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.

See also: AWS API Documentation

Request Syntax

client.revoke_security_group_egress(
    SecurityGroupRuleIds=[
        'string',
    ],
    DryRun=True|False,
    GroupId='string',
    SourceSecurityGroupName='string',
    SourceSecurityGroupOwnerId='string',
    IpProtocol='string',
    FromPort=123,
    ToPort=123,
    CidrIp='string',
    IpPermissions=[
        {
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'UserIdGroupPairs': [
                {
                    'Description': 'string',
                    'UserId': 'string',
                    'GroupName': 'string',
                    'GroupId': 'string',
                    'VpcId': 'string',
                    'VpcPeeringConnectionId': 'string',
                    'PeeringStatus': 'string'
                },
            ],
            'IpRanges': [
                {
                    'Description': 'string',
                    'CidrIp': 'string'
                },
            ],
            'Ipv6Ranges': [
                {
                    'Description': 'string',
                    'CidrIpv6': 'string'
                },
            ],
            'PrefixListIds': [
                {
                    'Description': 'string',
                    'PrefixListId': 'string'
                },
            ]
        },
    ]
)
type SecurityGroupRuleIds

list

param SecurityGroupRuleIds

The IDs of the security group rules.

  • (string) --

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

type GroupId

string

param GroupId

[REQUIRED]

The ID of the security group.

type SourceSecurityGroupName

string

param SourceSecurityGroupName

Not supported. Use a set of IP permissions to specify a destination security group.

type SourceSecurityGroupOwnerId

string

param SourceSecurityGroupOwnerId

Not supported. Use a set of IP permissions to specify a destination security group.

type IpProtocol

string

param IpProtocol

Not supported. Use a set of IP permissions to specify the protocol name or number.

type FromPort

integer

param FromPort

Not supported. Use a set of IP permissions to specify the port.

type ToPort

integer

param ToPort

Not supported. Use a set of IP permissions to specify the port.

type CidrIp

string

param CidrIp

Not supported. Use a set of IP permissions to specify the CIDR.

type IpPermissions

list

param IpPermissions

The sets of IP permissions. You can't specify a destination security group and a CIDR IP address range in the same set of permissions.

  • (dict) --

    Describes the permissions for a security group rule.

    • IpProtocol (string) --

      The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

      Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp , udp , icmp , or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp , udp , and icmp , you must specify a port range. For icmpv6 , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

    • FromPort (integer) --

      If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

    • ToPort (integer) --

      If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

    • UserIdGroupPairs (list) --

      The security group and Amazon Web Services account ID pairs.

      • (dict) --

        Describes a security group and Amazon Web Services account ID pair.

        • Description (string) --

          A description for the security group rule that references this user ID group pair.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

        • UserId (string) --

          The ID of an Amazon Web Services account.

          For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

        • GroupName (string) --

          [Default VPC] The name of the security group. For a security group in a nondefault VPC, use the security group ID.

          For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.

        • GroupId (string) --

          The ID of the security group.

        • VpcId (string) --

          The ID of the VPC for the referenced security group, if applicable.

        • VpcPeeringConnectionId (string) --

          The ID of the VPC peering connection, if applicable.

        • PeeringStatus (string) --

          The status of a VPC peering connection, if applicable.

    • IpRanges (list) --

      The IPv4 address ranges.

      • (dict) --

        Describes an IPv4 address range.

        • Description (string) --

          A description for the security group rule that references this IPv4 address range.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

        • CidrIp (string) --

          The IPv4 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.

    • Ipv6Ranges (list) --

      The IPv6 address ranges.

      • (dict) --

        Describes an IPv6 address range.

        • Description (string) --

          A description for the security group rule that references this IPv6 address range.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

        • CidrIpv6 (string) --

          The IPv6 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv6 address, use the /128 prefix length.

    • PrefixListIds (list) --

      The prefix list IDs.

      • (dict) --

        Describes a prefix list ID.

        • Description (string) --

          A description for the security group rule that references this prefix list ID.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

        • PrefixListId (string) --

          The ID of the prefix.

rtype

dict

returns

Response Syntax

{
    'Return': True|False,
    'UnknownIpPermissions': [
        {
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'UserIdGroupPairs': [
                {
                    'Description': 'string',
                    'UserId': 'string',
                    'GroupName': 'string',
                    'GroupId': 'string',
                    'VpcId': 'string',
                    'VpcPeeringConnectionId': 'string',
                    'PeeringStatus': 'string'
                },
            ],
            'IpRanges': [
                {
                    'Description': 'string',
                    'CidrIp': 'string'
                },
            ],
            'Ipv6Ranges': [
                {
                    'Description': 'string',
                    'CidrIpv6': 'string'
                },
            ],
            'PrefixListIds': [
                {
                    'Description': 'string',
                    'PrefixListId': 'string'
                },
            ]
        },
    ],
    'RevokedSecurityGroupRules': [
        {
            'SecurityGroupRuleId': 'string',
            'GroupId': 'string',
            'IsEgress': True|False,
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'CidrIpv4': 'string',
            'CidrIpv6': 'string',
            'PrefixListId': 'string',
            'ReferencedGroupId': 'string',
            'Description': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • Return (boolean) --

      Returns true if the request succeeds; otherwise, returns an error.

    • UnknownIpPermissions (list) --

      The outbound rules that were unknown to the service. In some cases, unknownIpPermissionSet might be in a different format from the request parameter.

      • (dict) --

        Describes the permissions for a security group rule.

        • IpProtocol (string) --

          The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

          Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp , udp , icmp , or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp , udp , and icmp , you must specify a port range. For icmpv6 , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

        • FromPort (integer) --

          If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

        • ToPort (integer) --

          If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

        • UserIdGroupPairs (list) --

          The security group and Amazon Web Services account ID pairs.

          • (dict) --

            Describes a security group and Amazon Web Services account ID pair.

            • Description (string) --

              A description for the security group rule that references this user ID group pair.

              Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

            • UserId (string) --

              The ID of an Amazon Web Services account.

              For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

            • GroupName (string) --

              [Default VPC] The name of the security group. For a security group in a nondefault VPC, use the security group ID.

              For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.

            • GroupId (string) --

              The ID of the security group.

            • VpcId (string) --

              The ID of the VPC for the referenced security group, if applicable.

            • VpcPeeringConnectionId (string) --

              The ID of the VPC peering connection, if applicable.

            • PeeringStatus (string) --

              The status of a VPC peering connection, if applicable.

        • IpRanges (list) --

          The IPv4 address ranges.

          • (dict) --

            Describes an IPv4 address range.

            • Description (string) --

              A description for the security group rule that references this IPv4 address range.

              Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

            • CidrIp (string) --

              The IPv4 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.

        • Ipv6Ranges (list) --

          The IPv6 address ranges.

          • (dict) --

            Describes an IPv6 address range.

            • Description (string) --

              A description for the security group rule that references this IPv6 address range.

              Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

            • CidrIpv6 (string) --

              The IPv6 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv6 address, use the /128 prefix length.

        • PrefixListIds (list) --

          The prefix list IDs.

          • (dict) --

            Describes a prefix list ID.

            • Description (string) --

              A description for the security group rule that references this prefix list ID.

              Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

            • PrefixListId (string) --

              The ID of the prefix.

    • RevokedSecurityGroupRules (list) --

      Details about the revoked security group rules.

      • (dict) --

        A security group rule removed with RevokeSecurityGroupEgress or RevokeSecurityGroupIngress.

        • SecurityGroupRuleId (string) --

          A security group rule ID.

        • GroupId (string) --

          A security group ID.

        • IsEgress (boolean) --

          Defines if a security group rule is an outbound rule.

        • IpProtocol (string) --

          The security group rule's protocol.

        • FromPort (integer) --

          The 'from' port number of the security group rule.

        • ToPort (integer) --

          The 'to' port number of the security group rule.

        • CidrIpv4 (string) --

          The IPv4 CIDR of the traffic source.

        • CidrIpv6 (string) --

          The IPv6 CIDR of the traffic source.

        • PrefixListId (string) --

          The ID of a prefix list that's the traffic source.

        • ReferencedGroupId (string) --

          The ID of a referenced security group.

        • Description (string) --

          A description of the revoked security group rule.

RevokeSecurityGroupIngress (updated) Link ¶
Changes (response)
{'RevokedSecurityGroupRules': [{'CidrIpv4': 'string',
                                'CidrIpv6': 'string',
                                'Description': 'string',
                                'FromPort': 'integer',
                                'GroupId': 'string',
                                'IpProtocol': 'string',
                                'IsEgress': 'boolean',
                                'PrefixListId': 'string',
                                'ReferencedGroupId': 'string',
                                'SecurityGroupRuleId': 'string',
                                'ToPort': 'integer'}]}

Removes the specified inbound (ingress) rules from a security group.

You can specify rules using either rule IDs or security group rule properties. If you use rule properties, the values that you specify (for example, ports) must match the existing rule's values exactly. Each rule has a protocol, from and to ports, and source (CIDR range, security group, or prefix list). For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not need to specify the description to revoke the rule.

For a default VPC, if the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.

For a non-default VPC, if the values you specify do not match the existing rule's values, an InvalidPermission.NotFound client error is returned, and no rules are revoked.

Amazon Web Services recommends that you describe the security group to verify that the rules were removed.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.

See also: AWS API Documentation

Request Syntax

client.revoke_security_group_ingress(
    CidrIp='string',
    FromPort=123,
    GroupId='string',
    GroupName='string',
    IpPermissions=[
        {
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'UserIdGroupPairs': [
                {
                    'Description': 'string',
                    'UserId': 'string',
                    'GroupName': 'string',
                    'GroupId': 'string',
                    'VpcId': 'string',
                    'VpcPeeringConnectionId': 'string',
                    'PeeringStatus': 'string'
                },
            ],
            'IpRanges': [
                {
                    'Description': 'string',
                    'CidrIp': 'string'
                },
            ],
            'Ipv6Ranges': [
                {
                    'Description': 'string',
                    'CidrIpv6': 'string'
                },
            ],
            'PrefixListIds': [
                {
                    'Description': 'string',
                    'PrefixListId': 'string'
                },
            ]
        },
    ],
    IpProtocol='string',
    SourceSecurityGroupName='string',
    SourceSecurityGroupOwnerId='string',
    ToPort=123,
    SecurityGroupRuleIds=[
        'string',
    ],
    DryRun=True|False
)
type CidrIp

string

param CidrIp

The CIDR IP address range. You can't specify this parameter when specifying a source security group.

type FromPort

integer

param FromPort

If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP, this is the ICMP type or -1 (all ICMP types).

type GroupId

string

param GroupId

The ID of the security group.

type GroupName

string

param GroupName

[Default VPC] The name of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.

type IpPermissions

list

param IpPermissions

The sets of IP permissions. You can't specify a source security group and a CIDR IP address range in the same set of permissions.

  • (dict) --

    Describes the permissions for a security group rule.

    • IpProtocol (string) --

      The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

      Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp , udp , icmp , or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp , udp , and icmp , you must specify a port range. For icmpv6 , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

    • FromPort (integer) --

      If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

    • ToPort (integer) --

      If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

    • UserIdGroupPairs (list) --

      The security group and Amazon Web Services account ID pairs.

      • (dict) --

        Describes a security group and Amazon Web Services account ID pair.

        • Description (string) --

          A description for the security group rule that references this user ID group pair.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

        • UserId (string) --

          The ID of an Amazon Web Services account.

          For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

        • GroupName (string) --

          [Default VPC] The name of the security group. For a security group in a nondefault VPC, use the security group ID.

          For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.

        • GroupId (string) --

          The ID of the security group.

        • VpcId (string) --

          The ID of the VPC for the referenced security group, if applicable.

        • VpcPeeringConnectionId (string) --

          The ID of the VPC peering connection, if applicable.

        • PeeringStatus (string) --

          The status of a VPC peering connection, if applicable.

    • IpRanges (list) --

      The IPv4 address ranges.

      • (dict) --

        Describes an IPv4 address range.

        • Description (string) --

          A description for the security group rule that references this IPv4 address range.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

        • CidrIp (string) --

          The IPv4 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.

    • Ipv6Ranges (list) --

      The IPv6 address ranges.

      • (dict) --

        Describes an IPv6 address range.

        • Description (string) --

          A description for the security group rule that references this IPv6 address range.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

        • CidrIpv6 (string) --

          The IPv6 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv6 address, use the /128 prefix length.

    • PrefixListIds (list) --

      The prefix list IDs.

      • (dict) --

        Describes a prefix list ID.

        • Description (string) --

          A description for the security group rule that references this prefix list ID.

          Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

        • PrefixListId (string) --

          The ID of the prefix.

type IpProtocol

string

param IpProtocol

The IP protocol name ( tcp , udp , icmp ) or number (see Protocol Numbers ). Use -1 to specify all.

type SourceSecurityGroupName

string

param SourceSecurityGroupName

[Default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. The source security group must be in the same VPC. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.

type SourceSecurityGroupOwnerId

string

param SourceSecurityGroupOwnerId

Not supported.

type ToPort

integer

param ToPort

If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP, this is the ICMP code or -1 (all ICMP codes).

type SecurityGroupRuleIds

list

param SecurityGroupRuleIds

The IDs of the security group rules.

  • (string) --

type DryRun

boolean

param DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

rtype

dict

returns

Response Syntax

{
    'Return': True|False,
    'UnknownIpPermissions': [
        {
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'UserIdGroupPairs': [
                {
                    'Description': 'string',
                    'UserId': 'string',
                    'GroupName': 'string',
                    'GroupId': 'string',
                    'VpcId': 'string',
                    'VpcPeeringConnectionId': 'string',
                    'PeeringStatus': 'string'
                },
            ],
            'IpRanges': [
                {
                    'Description': 'string',
                    'CidrIp': 'string'
                },
            ],
            'Ipv6Ranges': [
                {
                    'Description': 'string',
                    'CidrIpv6': 'string'
                },
            ],
            'PrefixListIds': [
                {
                    'Description': 'string',
                    'PrefixListId': 'string'
                },
            ]
        },
    ],
    'RevokedSecurityGroupRules': [
        {
            'SecurityGroupRuleId': 'string',
            'GroupId': 'string',
            'IsEgress': True|False,
            'IpProtocol': 'string',
            'FromPort': 123,
            'ToPort': 123,
            'CidrIpv4': 'string',
            'CidrIpv6': 'string',
            'PrefixListId': 'string',
            'ReferencedGroupId': 'string',
            'Description': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • Return (boolean) --

      Returns true if the request succeeds; otherwise, returns an error.

    • UnknownIpPermissions (list) --

      The inbound rules that were unknown to the service. In some cases, unknownIpPermissionSet might be in a different format from the request parameter.

      • (dict) --

        Describes the permissions for a security group rule.

        • IpProtocol (string) --

          The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).

          Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp , udp , icmp , or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp , udp , and icmp , you must specify a port range. For icmpv6 , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

        • FromPort (integer) --

          If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

        • ToPort (integer) --

          If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

        • UserIdGroupPairs (list) --

          The security group and Amazon Web Services account ID pairs.

          • (dict) --

            Describes a security group and Amazon Web Services account ID pair.

            • Description (string) --

              A description for the security group rule that references this user ID group pair.

              Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

            • UserId (string) --

              The ID of an Amazon Web Services account.

              For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

            • GroupName (string) --

              [Default VPC] The name of the security group. For a security group in a nondefault VPC, use the security group ID.

              For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.

            • GroupId (string) --

              The ID of the security group.

            • VpcId (string) --

              The ID of the VPC for the referenced security group, if applicable.

            • VpcPeeringConnectionId (string) --

              The ID of the VPC peering connection, if applicable.

            • PeeringStatus (string) --

              The status of a VPC peering connection, if applicable.

        • IpRanges (list) --

          The IPv4 address ranges.

          • (dict) --

            Describes an IPv4 address range.

            • Description (string) --

              A description for the security group rule that references this IPv4 address range.

              Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

            • CidrIp (string) --

              The IPv4 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.

        • Ipv6Ranges (list) --

          The IPv6 address ranges.

          • (dict) --

            Describes an IPv6 address range.

            • Description (string) --

              A description for the security group rule that references this IPv6 address range.

              Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*

            • CidrIpv6 (string) --

              The IPv6 address range. You can either specify a CIDR block or a source security group, not both. To specify a single IPv6 address, use the /128 prefix length.

        • PrefixListIds (list) --

          The prefix list IDs.

          • (dict) --

            Describes a prefix list ID.

            • Description (string) --

              A description for the security group rule that references this prefix list ID.

              Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

            • PrefixListId (string) --

              The ID of the prefix.

    • RevokedSecurityGroupRules (list) --

      Details about the revoked security group rules.

      • (dict) --

        A security group rule removed with RevokeSecurityGroupEgress or RevokeSecurityGroupIngress.

        • SecurityGroupRuleId (string) --

          A security group rule ID.

        • GroupId (string) --

          A security group ID.

        • IsEgress (boolean) --

          Defines if a security group rule is an outbound rule.

        • IpProtocol (string) --

          The security group rule's protocol.

        • FromPort (integer) --

          The 'from' port number of the security group rule.

        • ToPort (integer) --

          The 'to' port number of the security group rule.

        • CidrIpv4 (string) --

          The IPv4 CIDR of the traffic source.

        • CidrIpv6 (string) --

          The IPv6 CIDR of the traffic source.

        • PrefixListId (string) --

          The ID of a prefix list that's the traffic source.

        • ReferencedGroupId (string) --

          The ID of a referenced security group.

        • Description (string) --

          A description of the revoked security group rule.