Working with Security Groups in Amazon EC2

This Python example shows you how to:

  • Get information about your security groups
  • Create a security group to access an Amazon EC2 instance
  • Delete an existing security group

The Scenario

An Amazon EC2 security group acts as a virtual firewall that controls the traffic for one or more instances. You add rules to each security group to allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

In this example, Python code is used to perform several Amazon EC2 operations involving security groups. The code uses the AWS SDK for Python to manage IAM access keys using these methods of the EC2 client class:

For more information about the Amazon EC2 security groups, see Amazon EC2 Amazon Security Groups for Linux Instances in the Amazon EC2 User Guide for Linux Instances or Amazon EC2 Security Groups for Windows Instances in the Amazon EC2 User Guide for Windows Instances.

All the example code for the Amazon Web Services (AWS) SDK for Python is available here on GitHub.

Prerequisite Tasks

To set up and run this example, you must first configure your AWS credentials, as described in Quickstart.

Describe Security Groups

Describe one or more of your security groups.

A security group is for use with instances either in the EC2-Classic platform or in a specific VPC. For more information, see Amazon EC2 Security Groups in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.

The example below shows how to:

Example

import boto3
from botocore.exceptions import ClientError

ec2 = boto3.client('ec2')

try:
    response = ec2.describe_security_groups(GroupIds=['SECURITY_GROUP_ID'])
    print(response)
except ClientError as e:
    print(e)

Create a Security Group and Rules

  • Create a security group.

  • Add one or more ingress rules to a security group.

    Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.

The example below shows how to:

Example

import boto3
from botocore.exceptions import ClientError

ec2 = boto3.client('ec2')

response = ec2.describe_vpcs()
vpc_id = response.get('Vpcs', [{}])[0].get('VpcId', '')

try:
    response = ec2.create_security_group(GroupName='SECURITY_GROUP_NAME',
                                         Description='DESCRIPTION',
                                         VpcId=vpc_id)
    security_group_id = response['GroupId']
    print('Security Group Created %s in vpc %s.' % (security_group_id, vpc_id))

    data = ec2.authorize_security_group_ingress(
        GroupId=security_group_id,
        IpPermissions=[
            {'IpProtocol': 'tcp',
             'FromPort': 80,
             'ToPort': 80,
             'IpRanges': [{'CidrIp': '0.0.0.0/0'}]},
            {'IpProtocol': 'tcp',
             'FromPort': 22,
             'ToPort': 22,
             'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}
        ])
    print('Ingress Successfully Set %s' % data)
except ClientError as e:
    print(e)

Delete a Security Group

If you attempt to delete a security group that is associated with an instance, or is referenced by another security group, the operation fails with InvalidGroup.InUse in EC2-Classic or DependencyViolation in EC2-VPC.

The example below shows how to:

Example

import boto3
from botocore.exceptions import ClientError

# Create EC2 client
ec2 = boto3.client('ec2')

# Delete security group
try:
    response = ec2.delete_security_group(GroupId='SECURITY_GROUP_ID')
    print('Security Group Deleted')
except ClientError as e:
    print(e)