security_group_egresses
Creates, updates, deletes or gets a security_group_egress resource or lists security_group_egresses in a region
Overview
| Name | security_group_egresses |
| Type | Resource |
| Description | Adds the specified outbound (egress) rule to a security group. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html). You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1. Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur. |
| Id | awscc.ec2.security_group_egresses |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
cidr_ip | string | The IPv4 address range, in CIDR format.<br />You must specify exactly one of the following: ``CidrIp``, ``CidrIpv6``, ``DestinationPrefixListId``, or ``DestinationSecurityGroupId``.<br />For examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *User Guide*. |
cidr_ipv6 | string | The IPv6 address range, in CIDR format.<br />You must specify exactly one of the following: ``CidrIp``, ``CidrIpv6``, ``DestinationPrefixListId``, or ``DestinationSecurityGroupId``.<br />For examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *User Guide*. |
description | string | The description of an egress (outbound) security group rule.<br />Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$* |
from_port | integer | If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types). |
to_port | integer | If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes). |
ip_protocol | string | The IP protocol name (``tcp``, ``udp``, ``icmp``, ``icmpv6``) or number (see [Protocol Numbers](https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)).<br />Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp``, ``udp``, ``icmp``, or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp``, ``udp``, and ``icmp``, you must specify a port range. For ``icmpv6``, the port range is optional; if you omit the port range, traffic for all types and codes is allowed. |
destination_security_group_id | string | The ID of the security group.<br />You must specify exactly one of the following: ``CidrIp``, ``CidrIpv6``, ``DestinationPrefixListId``, or ``DestinationSecurityGroupId``. |
id | string | |
destination_prefix_list_id | string | The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group.<br />You must specify exactly one of the following: ``CidrIp``, ``CidrIpv6``, ``DestinationPrefixListId``, or ``DestinationSecurityGroupId``. |
group_id | string | The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
id | string | |
region | string | AWS region. |
For more information, see AWS::EC2::SecurityGroupEgress.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | security_group_egresses | INSERT | IpProtocol, GroupId, region |
delete_resource | security_group_egresses | DELETE | Identifier, region |
update_resource | security_group_egresses | UPDATE | Identifier, PatchDocument, region |
list_resources | security_group_egresses_list_only | SELECT | region |
get_resource | security_group_egresses | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual security_group_egress.
SELECT
region,
cidr_ip,
cidr_ipv6,
description,
from_port,
to_port,
ip_protocol,
destination_security_group_id,
id,
destination_prefix_list_id,
group_id
FROM awscc.ec2.security_group_egresses
WHERE
region = 'us-east-1' AND
Identifier = '{{ id }}';
Lists all security_group_egresses in a region.
SELECT
region,
id
FROM awscc.ec2.security_group_egresses_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new security_group_egress resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.ec2.security_group_egresses (
IpProtocol,
GroupId,
region
)
SELECT
'{{ ip_protocol }}',
'{{ group_id }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.ec2.security_group_egresses (
CidrIp,
CidrIpv6,
Description,
FromPort,
ToPort,
IpProtocol,
DestinationSecurityGroupId,
DestinationPrefixListId,
GroupId,
region
)
SELECT
'{{ cidr_ip }}',
'{{ cidr_ipv6 }}',
'{{ description }}',
'{{ from_port }}',
'{{ to_port }}',
'{{ ip_protocol }}',
'{{ destination_security_group_id }}',
'{{ destination_prefix_list_id }}',
'{{ group_id }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: security_group_egress
props:
- name: cidr_ip
value: '{{ cidr_ip }}'
- name: cidr_ipv6
value: '{{ cidr_ipv6 }}'
- name: description
value: '{{ description }}'
- name: from_port
value: '{{ from_port }}'
- name: to_port
value: '{{ to_port }}'
- name: ip_protocol
value: '{{ ip_protocol }}'
- name: destination_security_group_id
value: '{{ destination_security_group_id }}'
- name: destination_prefix_list_id
value: '{{ destination_prefix_list_id }}'
- name: group_id
value: '{{ group_id }}'
UPDATE example
Use the following StackQL query and manifest file to update a security_group_egress resource, using stack-deploy.
/*+ update */
UPDATE awscc.ec2.security_group_egresses
SET PatchDocument = string('{{ {
"Description": description
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ id }}';
DELETE example
/*+ delete */
DELETE FROM awscc.ec2.security_group_egresses
WHERE
Identifier = '{{ id }}' AND
region = 'us-east-1';
Permissions
To operate on the security_group_egresses resource, the following permissions are required:
- Read
- Create
- Update
- List
- Delete
ec2:DescribeSecurityGroupRules
ec2:AuthorizeSecurityGroupEgress,
ec2:RevokeSecurityGroupEgress,
ec2:DescribeSecurityGroupRules
ec2:UpdateSecurityGroupRuleDescriptionsEgress
ec2:DescribeSecurityGroupRules
ec2:RevokeSecurityGroupEgress,
ec2:DescribeSecurityGroupRules