This Python example shows you how to:
An Amazon EC2 security group acts as a virtual firewall that controls the traffic for one or more instances. You add rules to each security group to allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.
In this example, Python code is used to perform several Amazon EC2 operations involving security groups. The code uses the AWS SDK for Python to manage IAM access keys using these methods of the EC2 client class:
For more information about the Amazon EC2 security groups, see Amazon EC2 Amazon Security Groups for Linux Instances in the Amazon EC2 User Guide for Linux Instances or Amazon EC2 Security Groups for Windows Instances in the Amazon EC2 User Guide for Windows Instances.
All the example code for the Amazon Web Services (AWS) SDK for Python is available here on GitHub.
To set up and run this example, you must first configure your AWS credentials, as described in Quickstart.
Describe one or more of your security groups.
A security group is for use with instances either in the EC2-Classic platform or in a specific VPC. For more information, see Amazon EC2 Security Groups in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.
The example below shows how to:
import boto3
from botocore.exceptions import ClientError
ec2 = boto3.client('ec2')
try:
response = ec2.describe_security_groups(GroupIds=['SECURITY_GROUP_ID'])
print(response)
except ClientError as e:
print(e)
Create a security group.
Add one or more ingress rules to a security group.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
The example below shows how to:
import boto3
from botocore.exceptions import ClientError
ec2 = boto3.client('ec2')
response = ec2.describe_vpcs()
vpc_id = response.get('Vpcs', [{}])[0].get('VpcId', '')
try:
response = ec2.create_security_group(GroupName='SECURITY_GROUP_NAME',
Description='DESCRIPTION',
VpcId=vpc_id)
security_group_id = response['GroupId']
print('Security Group Created %s in vpc %s.' % (security_group_id, vpc_id))
data = ec2.authorize_security_group_ingress(
GroupId=security_group_id,
IpPermissions=[
{'IpProtocol': 'tcp',
'FromPort': 80,
'ToPort': 80,
'IpRanges': [{'CidrIp': '0.0.0.0/0'}]},
{'IpProtocol': 'tcp',
'FromPort': 22,
'ToPort': 22,
'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}
])
print('Ingress Successfully Set %s' % data)
except ClientError as e:
print(e)
If you attempt to delete a security group that is associated with an instance, or is referenced by another security group, the operation fails with InvalidGroup.InUse in EC2-Classic or DependencyViolation in EC2-VPC.
The example below shows how to:
import boto3
from botocore.exceptions import ClientError
# Create EC2 client
ec2 = boto3.client('ec2')
# Delete security group
try:
response = ec2.delete_security_group(GroupId='SECURITY_GROUP_ID')
print('Security Group Deleted')
except ClientError as e:
print(e)