Amazon EC2 - Authorize Security Group

Declaration

<AMAWSEC2 ACTIVITY="authorize_security_group" 
SECURITYGROUP="text" 
USERID="number" SOURCEGROUP="text" 
SOURCEOWNERID="number" 
ACCESSKEY="text" SECRETKEY="text (encrypted)" 
SERVICEURL="text" PROXYHOST="text" USERAGENT="text" 
PROXYPORT="number" PROXYUSER="text" 
PROXYPWD="text (encrypted)" MAXERRORRETRY="number" 
SIGNMETHOD="text" 
SIGNVERSION="number" />

Description: Grants one or more CIDR (Classless Inter-Domain Routing) IP address ranges permission to access a security group in your account, or grants one or more security groups (also known as source groups) permission to access a security group in your account. A source group can be in your own AWS account or another.  

IMPORTANT: The AWS EC2 activities are performed using Amazon's EC2 engine, therefore, launching and administering Amazon EC2 instances requires a valid Access Key ID and Secret Access Key.

Practical Usage

Typically used to permit security group access. A security group acts as a firewall that controls the traffic allowed to reach one or more instances. When you launch an Amazon EC2 instance, you associate it with one or more security groups. You can add rules to each security group that control the inbound traffic allowed to reach the instances associated with the security group. All other inbound traffic is discarded. You can modify rules for a security group at any time. The new rules are automatically applied to all instances associated with the security group.

Connection Parameters

Property

Type

Required

Default

Markup

Description

Connection

 

 

 

 

Indicates where user credentials and preferences should originate from. This is a design mode parameter used only during task construction and configuration, thus, comprises no markup. The available options are:

  • Host (default) - Specifies that user credentials and/or advanced preferences are configured individually for this activity. Normally chosen if only a single activity is required to complete an operation.

  • Session - Specifies that user credentials and/or advanced preferences are obtained from a pre-configured session created in an earlier step with the use of the EC2 - Create session activity. Normally chosen if a combination of activities within the same action group are required. Linking several activities to a single session eliminates redundancy and improves efficiency. Several sessions can exist in a single task. Multiple sessions can run simultaneously without interference.

Session

Text

Yes if connection is session-based

EC2Session1

SESSION="EC2Session1"

The name of an existing session to attach this activity to. This parameter is active only if the Connection parameter is set to Session.

Access key

Text

Yes if connection is host-based

(Empty)

ACCESSKEY=

"022QF06E7MXBSH9DHM02"

A 20-character alphanumeric string that uniquely identifies the owner of the AWS service account, similar to a username. This key along with a corresponding secret access key forms a secure information set that AWS uses to confirm a valid user's identity. This parameter is active only if the Connection parameter is set to Host.

Secret Access key

Text

Yes if connection is host-based

(Empty)

SECRETKEY=

"kWcrlUX5JEDGM/LtmEENI/

aVmYvHNif5zB+d9+ct"

A 40-character string that serves the role as password to access the AWS service account. This along with an associated access key forms a secure information set that EC2 uses to confirm a valid user's identity. This parameter is active only if the Connection parameter is set to Host.

User agent

Text

No

AutoMate

USERAGENT="AutoMate"

The name of the client or application initiating requests to AWS. The default value is 'AutoMate'. 

Service URL

Text

No

(Empty)

SERVICEURL=

"https://ec2.eu-west-1.amazonaws.com"

The URL that provides the service endpoint. To make the service call to a different region, you can pass the region-specific endpoint URL. For example, entering  https://ec2.us-west-1.amazonaws.com points to US West (Northern California) region. A complete list of EC2 regions, accompanying endpoints and valid protocols can be found below under EC2 Regions and Endpoints.

Maximum retry on error

Number

No

(Empty)

MAXERRORRETRY="4"

The total amount of instances this activity should retry the request before returning an error. Network components can generate errors anytime in the life of a request, thus, implementing retries can increase reliability. 

Proxy host

Text

No

(Empty)

  1. PROXYHOST="proxy.host.com"

  2. PROXYHOST="193.118.431.52"

The host name (e.g., server.domain.com) or IP address (e.g., xxx.xxx.xxx.xx) of the proxy server to use when connecting to AWS.  

Proxy port

Number

No

(Empty)

PROXYPORT="1028"

The port that should be used to connect to the proxy server.

Signature method

Text

No

(Empty)

SIGNMETHOD="HmacSHA256"

The signature method to use for signing the request. This provides a valid hashing algorithm for signature calculation. Valid AWS signature methods are HmacSHA1 and HmacSHA256.

Signature version

Number

No

(Empty)

SIGNVERSION="2"

The signature version for signing the request. Valid AWS signature versions are 2 and 4. The difference with version 4 is that it allows you to sign your message using a key that is derived from your secret access key rather than using the secret access key itself.

Security Group Parameters

Property

Type

Required

Default

Markup

Description

Security group

Text

Yes

(Empty)

SECURITYGROUP="websrv"

The name of the security group to allow authorization.

User ID

Number

Yes

(Empty)

USERID="495219933132"

The AWS account ID that owns the source security group.

CIDR IP permission

 

 

 

 

If enabled, gives one or more CIDR IP address ranges permission to access a security group in your account. This is a design-time parameter used interactively during task construction, thus, contains no markups.

IP protocol

Text (Options)

Yes

tcp

  1. IPPROTOCOL="tcp"

  2. IPPROTOCOL="udp"

  3. IPPROTOCOL="icmp"

 

The IP Protocol. This parameter is available only if the CIDR IP Permission parameter is enabled. The available options are:

  • TCP

  • UDP

  • ICMP

CIDR IP

Number

Yes

(Empty)

CIDRIP="209.223.157.0/24"

The CIDR IP address range to allow permission to the security group. This option is available only if the CIDR IP Permission option is selected.

From port

Number

Yes

(Empty)

FROMPORT="80"

For the TCP or UDP protocols, this specifies the beginning port in a range of ports to allow. This parameter is available only if the CIDR IP Permission parameter is enabled.

To port

Number

Yes

(Empty)

TOPORT="84"

For the TCP or UDP protocols, this specifies the end port in a range of ports to allow. This parameter is available only if the CIDR IP Permission parameter is enabled.

User group/pair permission

 

 

 

 

If enabled, gives one or more security groups permission to access a security group in your account. This is a design-time parameter used interactively during task construction, thus, contains no markups.

Source security group name

Text

Yes

(Empty)

SOURCEGROUP="headoffice"

The name of the source security group. This parameter is available only if the User Group/Pair Permission parameter is enabled.

Source security group owner ID

Number

Yes

(Empty)

SOURCEOWNERID=

"495219933132"

The AWS account ID that owns the source security group. This parameter is available only if the User Group/Pair Permission parameter is enabled.

Description tab - A custom description can be provided on the Description tab to convey additional information or share special notes about a task step.

Error Causes tab - Specify how this step should behave upon the occurrence of an error. (Refer to Task Builder > Error Causes Tab for details.)

On Error tab - Specify what AWE should do if this step encounters an error as defined on the Error Causes tab. (Refer to Task Builder > On Error Tab for details.)

EC2 Regions and Endpoints

This table contains a complete list of EC2 endpoints, accompanying regions and supported protocols.

Endpoint

Region

Protocol

ec2.us-east-1.amazonaws.com

US East (Northern Virginia) Region

HTTP and HTTPS

ec2.us-west-2.amazonaws.com

US West (Oregon) Region

HTTP and HTTPS

ec2.us-west-1.amazonaws.com  

US West (Northern California) Region

HTTP and HTTPS

ec2.eu-west-1.amazonaws.com

EU (Ireland) Region

HTTP and HTTPS

ec2.ap-southeast-1.amazonaws.com

Asia Pacific (Singapore) Region

HTTP and HTTPS

ec2.ap-southeast-2.amazonaws.com

Asia Pacific (Sydney) Region

HTTP and HTTPS

ec2.ap-northeast-1.amazonaws.com

Asia Pacific (Tokyo) Region

HTTP and HTTPS

ec2.sa-east-1.amazonaws.com  

South America (Sao Paulo) Region

HTTP and HTTPS

Examples

The sample AML code below can be copied and pasted directly into the Steps panel of the Task Builder.

Sample 1: Revoke CIRD IP Permission

<AMAWSEC2 ACTIVITY="authorize_security_group" SECURITYGROUP="websrv" 
USERID="495219933132" CIDRIP="209.223.157.0/24" 
IPPROTOCOL="udp" FROMPORT="80" TOPORT="84" />

Sample 2: Revoke User Group/Pair Permission

<AMAWSEC2 ACTIVITY="authorize_security_group" SECURITYGROUP="Websrvs" 
USERID="495219933132" SOURCEGROUP="headoffice" 
SOURCEOWNERID="495219933132" />