|
Amazon EC2 - Authorize security group |
Declaration
<AMAWSEC2 ACTIVITY="authorize_security_group" PROVIDER="session_based" SESSION="text" ACCESSKEY="text" SECRETKEY="text (encrypted)" USERAGENT="text" MAXERRORRETRY="number" SERVICEURL="text" PROXYHOST="text" PROXYPORT="number" PROXYUSER="text" PROXYPWD="text (encrypted)" SIGNMETHOD="text" SIGNVERSION="number" SECURITYGROUP="text" USERID="text" IPPROTOCOL="text (options)" CIDRIP="number" FROMPORT="number" TOPORT="number" SOURCEGROUP="text" SOURCEOWNERID="text" />
Description
Grants one or more CIDR (Classless Inter-Domain Routing) IP address ranges permission to access a security group in your account, or grants one or more security groups (also known as source groups) permission to access a security group in your account. A source group can be in your own AWS account or another.
Practical Usage
Typically used to permit security group access. A security group acts as a firewall that controls the traffic allowed to reach one or more instances. When you launch an Amazon EC2 instance, you associate it with one or more security groups. You can add rules to each security group that control the inbound traffic allowed to reach the instances associated with the security group. All other inbound traffic is discarded. You can modify rules for a security group at any time. The new rules are automatically applied to all instances associated with the security group.
Parameters
Connection
Property | Type | Required | Default | Markup | Description |
---|---|---|---|---|---|
Connection | --- | --- | --- | --- | Indicates
where user credentials and preferences originate from.
This parameter does not contain markup and is only displayed in visual mode for task construction and configuration purposes. The available options
are:
|
Session | Text | Yes, if the connection is set to Session | EC2Session1 | SESSION="EC2Session1" | The name of an existing session to attach this activity to. This parameter is active only if the Connection parameter is set to Session. |
Access key | Text | Yes, if the connection is set to Host | (Empty) | ACCESSKEY="022QF06E7MXBSH9DHM02" | A 20-character alphanumeric string that uniquely identifies the owner of the AWS service account, similar to a username. This key along with a corresponding secret access key forms a secure information set that AWS uses to confirm a valid user's identity. This parameter is active only if the Connection parameter is set to Host. |
Secret access key | Text | Yes, if the connection is set to Host | (Empty) | SECRETKEY="kWcrlUX5JEDGM/LtmEENI/aVmYvHNif5zB+d9+ct" | A 40-character string that serves the role as password to access the AWS service account. This along with an associated access key forms a secure information set that EC2 uses to confirm a valid user's identity. This parameter is active only if the Connection parameter is set to Host. |
User agent | Text | No | Automate | USERAGENT="Automate" | The name of the client or application initiating requests to AWS. The default value is 'Automate'. |
Maximum number of retries on error | Number | No | (Empty) | MAXERRORRETRY="4" | The total amount of instances this activity should retry the request before returning an error. Network components can generate errors anytime in the life of a request, thus, implementing retries can increase reliability. |
Service URL | Text | No | (Empty) | SERVICEURL="https://ec2.eu-west-1.amazonaws.com" | The URL that provides the service endpoint. To make the service call to a different region, you can pass the region-specific endpoint URL. For example, entering https://ec2.us-west-1.amazonaws.com points to US West (Northern California) region. A complete list of EC2 regions, accompanying endpoints and valid protocols can be found below under EC2 Regions and Endpoints. |
Proxy host | Text | No | (Empty) | PROXYHOST="proxy.host.com" | The host name (for example, server.domain.com) or IP address (for example, xxx.xxx.xxx.xxx) of the proxy server to use when connecting to AWS. |
Proxy port | Number | No | (Empty) | PROXYPORT="1028" | The port number to use to connect to the proxy server. |
Proxy username | Text | No | (Empty) | PROXYUSERNAME="Username" | The username to authenticate with the proxy server. |
Proxy password | Text | No | (Empty) | PROXYPWD="encrypted" | The password to authenticate with the proxy server. |
Signature method | Text | No | (Empty) | SIGNMETHOD="HmacSHA256" | The signature method to use for signing the request. This provides a valid hashing algorithm for signature calculation. Valid AWS signature methods are HmacSHA1 and HmacSHA256. |
Signature version | Number | No | (Empty) | SIGNVERSION="2" | The signature version for signing the request. Valid AWS signature versions are 2 and 4. The difference with version 4 is that it allows you to sign your message using a key that is derived from your secret access key rather than using the secret access key itself. |
Security Group
Property | Type | Required | Default | Markup | Description |
---|---|---|---|---|---|
Security group | Text | Yes | (Empty) | SECURITYGROUP="websrv" | The name of the security group to allow authorization. |
User ID | Number | Yes | (Empty) | USERID="495219933132" | The AWS account ID that owns the source security group. |
CIDR IP permission | --- | --- | --- | --- | If enabled, gives one or more CIDR IP address ranges permission to access a security group in your account. This parameter does not contain markup and is only displayed in visual mode for task construction and configuration purposes. |
IP protocol | Text (Options) | Yes | TCP |
|
The
IP Protocol. This parameter is available only if the CIDR
IP Permission parameter is enabled. The available options
are:
|
CIDR IP | Number | Yes | (Empty) | CIDRIP="209.223.157.0/24" | The CIDR IP address range to allow permission to the security group. This option is available only if the CIDR IP Permission option is selected. |
From port | Number | Yes | (Empty) | FROMPORT="80" | For the TCP or UDP protocols, this specifies the beginning port in a range of ports to allow. This parameter is available only if the CIDR IP Permission parameter is enabled. |
To port | Number | Yes | (Empty) | TOPORT="84" | For the TCP or UDP protocols, this specifies the end port in a range of ports to allow. This parameter is available only if the CIDR IP Permission parameter is enabled. |
User group/pair permission | --- | --- | --- | --- |
If enabled, gives one or more security groups permission to access a security group in your account. This parameter does not contain markup and is only displayed in visual mode for task construction and configuration purposes. |
Source security group name | Text | Yes | (Empty) | SOURCEGROUP="headoffice" | The name of the source security group. This parameter is available only if the User Group/Pair Permission parameter is enabled. |
Source security group owner ID | Number | Yes | (Empty) | SOURCEOWNERID="495219933132" | The AWS account ID that owns the source security group. This parameter is available only if the User Group/Pair Permission parameter is enabled. |
Additional Notes
EC2 Regions and Endpoints
This table contains a complete list of EC2 endpoints, accompanying regions and supported protocols.
Endpoint | Region | Protocol |
---|---|---|
ec2.us-east-1.amazonaws.com | US East (Northern Virginia) Region | HTTP and HTTPS |
ec2.us-west-2.amazonaws.com | US West (Oregon) Region | HTTP and HTTPS |
ec2.us-west-1.amazonaws.com | US West (Northern California) Region | HTTP and HTTPS |
ec2.eu-west-1.amazonaws.com | EU (Ireland) Region | HTTP and HTTPS |
ec2.ap-southeast-1.amazonaws.com | Asia Pacific (Singapore) Region | HTTP and HTTPS |
ec2.ap-southeast-2.amazonaws.com | Asia Pacific (Sydney) Region | HTTP and HTTPS |
ec2.ap-northeast-1.amazonaws.com | Asia Pacific (Tokyo) Region | HTTP and HTTPS |
ec2.sa-east-1.amazonaws.com | South America (Sao Paulo) Region | HTTP and HTTPS |
Examples
- The sample AML code below can be copied and pasted directly into the Steps Panel of the Task Builder.
- Parameters containing user credentials, files, file paths, and/or other information specific to the task must be customized before the sample code can run successfully.
Example 1
This sample task revokes CIRD IP permissions.
<AMAWSEC2 ACTIVITY="authorize_security_group" SECURITYGROUP="websrv" USERID="495219933132" CIDRIP="209.223.157.0/24" IPPROTOCOL="udp" FROMPORT="80" TOPORT="84" />
Example 2
This sample task revokes User Group/Pair permissions.
<AMAWSEC2 ACTIVITY="authorize_security_group" SECURITYGROUP="Websrvs" USERID="495219933132" SOURCEGROUP="headoffice" SOURCEOWNERID="495219933132" />