software.amazon.awscdk.services.ec2

Class SecurityGroup

java.lang.Object

software.amazon.jsii.JsiiObject

software.constructs.Construct

software.amazon.awscdk.Resource

software.amazon.awscdk.services.ec2.SecurityGroup

All Implemented Interfaces:

IResource, IConnectable, IPeer, ISecurityGroup, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable

@Generated(value="jsii-pacmak/1.30.0 (build adae23f)",
           date="2021-06-30T10:01:06.672Z")
 @Stability(value=Experimental)
public class SecurityGroup
extends Resource
implements ISecurityGroup

(experimental) Creates an Amazon EC2 security group within a VPC.

Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)

If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.

All Constructs that require Security Groups will create one for you if you don't specify one at construction. After construction, you can selectively allow connections to and between constructs via--for example-- the instance.connections object. Think of it as "allowing connections to your instance", rather than "adding ingress rules a security group". See the Allowing Connections section in the library documentation for examples.

Direct manipulation of the Security Group through addIngressRule and addEgressRule is possible, but mutation through the .connections object is recommended. If you peer two constructs with security groups this way, appropriate rules will be created in both.

If you have an existing security group you want to use in your CDK application, you would import it like this:

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object securityGroup = SecurityGroup.fromSecurityGroupId(this, "SG", "sg-12345", Map.of(
         "mutable", false));
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	SecurityGroup.Builder (experimental) A fluent builder for SecurityGroup.

Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject

software.amazon.jsii.JsiiObject.InitializationMode

Nested classes/interfaces inherited from interface software.amazon.awscdk.services.ec2.ISecurityGroup

ISecurityGroup.Jsii$Default, ISecurityGroup.Jsii$Proxy

Constructor Summary

Constructors

Modifier	Constructor and Description
	SecurityGroup(software.constructs.Construct scope, String id, SecurityGroupProps props)
protected	SecurityGroup(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	SecurityGroup(software.amazon.jsii.JsiiObjectRef objRef)

Method Summary

Modifier and Type	Method and Description
void	addEgressRule(IPeer peer, Port connection) (experimental) Add an egress rule for the current security group.
void	addEgressRule(IPeer peer, Port connection, String description) (experimental) Add an egress rule for the current security group.
void	addEgressRule(IPeer peer, Port connection, String description, Boolean remoteRule) (experimental) Add an egress rule for the current security group.
void	addIngressRule(IPeer peer, Port connection) (experimental) Add an ingress rule for the current security group.
void	addIngressRule(IPeer peer, Port connection, String description) (experimental) Add an ingress rule for the current security group.
void	addIngressRule(IPeer peer, Port connection, String description, Boolean remoteRule) (experimental) Add an ingress rule for the current security group.
static ISecurityGroup	fromLookup(software.constructs.Construct scope, String id, String securityGroupId) (experimental) Look up a security group by id.
static ISecurityGroup	fromSecurityGroupId(software.constructs.Construct scope, String id, String securityGroupId) (experimental) Import an existing security group into this app.
static ISecurityGroup	fromSecurityGroupId(software.constructs.Construct scope, String id, String securityGroupId, SecurityGroupImportOptions options) (experimental) Import an existing security group into this app.
Boolean	getAllowAllOutbound() (experimental) Whether the SecurityGroup has been configured to allow all outbound traffic.
Boolean	getCanInlineRule() (experimental) Whether the rule can be inlined into a SecurityGroup or not.
Connections	getConnections()
Port	getDefaultPort()
String	getSecurityGroupId() (experimental) The ID of the security group.
String	getSecurityGroupName() (experimental) An attribute that represents the security group name.
String	getSecurityGroupVpcId() (experimental) The VPC ID this security group is part of.
String	getUniqueId() (experimental) A unique identifier for this connection peer.
static Boolean	isSecurityGroup(Object x) (experimental) Return whether the indicated object is a security group.
Object	toEgressRuleConfig() (experimental) Produce the egress rule JSON for the given connection.
Object	toIngressRuleConfig() (experimental) Produce the ingress rule JSON for the given connection.

Methods inherited from class software.amazon.awscdk.Resource

applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isResource

Methods inherited from class software.constructs.Construct

getNode, isConstruct, toString

Methods inherited from class software.amazon.jsii.JsiiObject

jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface software.amazon.awscdk.IResource

getEnv, getStack

Methods inherited from interface software.constructs.IConstruct

getNode

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Constructor Detail

SecurityGroup

protected SecurityGroup(software.amazon.jsii.JsiiObjectRef objRef)

SecurityGroup

protected SecurityGroup(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

SecurityGroup

@Stability(value=Experimental)
public SecurityGroup(@NotNull
                                                    software.constructs.Construct scope,
                                                    @NotNull
                                                    String id,
                                                    @NotNull
                                                    SecurityGroupProps props)

Parameters:

scope - This parameter is required.

id - This parameter is required.

props - This parameter is required.

Method Detail

fromLookup

@Stability(value=Experimental)
 @NotNull
public static ISecurityGroup fromLookup(@NotNull
                                                                                 software.constructs.Construct scope,
                                                                                 @NotNull
                                                                                 String id,
                                                                                 @NotNull
                                                                                 String securityGroupId)

(experimental) Look up a security group by id.

Parameters:

scope - This parameter is required.

id - This parameter is required.

securityGroupId - This parameter is required.

fromSecurityGroupId

@Stability(value=Experimental)
 @NotNull
public static ISecurityGroup fromSecurityGroupId(@NotNull
                                                                                          software.constructs.Construct scope,
                                                                                          @NotNull
                                                                                          String id,
                                                                                          @NotNull
                                                                                          String securityGroupId,
                                                                                          @Nullable
                                                                                          SecurityGroupImportOptions options)

(experimental) Import an existing security group into this app.

This method will assume that the Security Group has a rule in it which allows all outbound traffic, and so will not add egress rules to the imported Security Group (only ingress rules).

If your existing Security Group needs to have egress rules added, pass the allowAllOutbound: false option on import.

Parameters:

scope - This parameter is required.

id - This parameter is required.

securityGroupId - This parameter is required.

options -

fromSecurityGroupId

@Stability(value=Experimental)
 @NotNull
public static ISecurityGroup fromSecurityGroupId(@NotNull
                                                                                          software.constructs.Construct scope,
                                                                                          @NotNull
                                                                                          String id,
                                                                                          @NotNull
                                                                                          String securityGroupId)

(experimental) Import an existing security group into this app.

This method will assume that the Security Group has a rule in it which allows all outbound traffic, and so will not add egress rules to the imported Security Group (only ingress rules).

If your existing Security Group needs to have egress rules added, pass the allowAllOutbound: false option on import.

Parameters:

scope - This parameter is required.

id - This parameter is required.

securityGroupId - This parameter is required.

isSecurityGroup

@Stability(value=Experimental)
 @NotNull
public static Boolean isSecurityGroup(@NotNull
                                                                               Object x)

(experimental) Return whether the indicated object is a security group.

Parameters:

x - This parameter is required.

addEgressRule

@Stability(value=Experimental)
public void addEgressRule(@NotNull
                                                         IPeer peer,
                                                         @NotNull
                                                         Port connection,
                                                         @Nullable
                                                         String description,
                                                         @Nullable
                                                         Boolean remoteRule)

(experimental) Add an egress rule for the current security group.

remoteRule controls where the Rule object is created if the peer is also a securityGroup and they are in different stack. If false (default) the rule object is created under the current SecurityGroup object. If true and the peer is also a SecurityGroup, the rule object is created under the remote SecurityGroup object.

Specified by:

addEgressRule in interface ISecurityGroup

Parameters:

peer - This parameter is required.

connection - This parameter is required.

description -

remoteRule -

addEgressRule

@Stability(value=Experimental)
public void addEgressRule(@NotNull
                                                         IPeer peer,
                                                         @NotNull
                                                         Port connection,
                                                         @Nullable
                                                         String description)

(experimental) Add an egress rule for the current security group.

remoteRule controls where the Rule object is created if the peer is also a securityGroup and they are in different stack. If false (default) the rule object is created under the current SecurityGroup object. If true and the peer is also a SecurityGroup, the rule object is created under the remote SecurityGroup object.

Specified by:

addEgressRule in interface ISecurityGroup

Parameters:

peer - This parameter is required.

connection - This parameter is required.

description -

addEgressRule

@Stability(value=Experimental)
public void addEgressRule(@NotNull
                                                         IPeer peer,
                                                         @NotNull
                                                         Port connection)

(experimental) Add an egress rule for the current security group.

remoteRule controls where the Rule object is created if the peer is also a securityGroup and they are in different stack. If false (default) the rule object is created under the current SecurityGroup object. If true and the peer is also a SecurityGroup, the rule object is created under the remote SecurityGroup object.

Specified by:

addEgressRule in interface ISecurityGroup

Parameters:

peer - This parameter is required.

connection - This parameter is required.

addIngressRule

@Stability(value=Experimental)
public void addIngressRule(@NotNull
                                                          IPeer peer,
                                                          @NotNull
                                                          Port connection,
                                                          @Nullable
                                                          String description,
                                                          @Nullable
                                                          Boolean remoteRule)

(experimental) Add an ingress rule for the current security group.

remoteRule controls where the Rule object is created if the peer is also a securityGroup and they are in different stack. If false (default) the rule object is created under the current SecurityGroup object. If true and the peer is also a SecurityGroup, the rule object is created under the remote SecurityGroup object.

Specified by:

addIngressRule in interface ISecurityGroup

Parameters:

peer - This parameter is required.

connection - This parameter is required.

description -

remoteRule -

addIngressRule

@Stability(value=Experimental)
public void addIngressRule(@NotNull
                                                          IPeer peer,
                                                          @NotNull
                                                          Port connection,
                                                          @Nullable
                                                          String description)

(experimental) Add an ingress rule for the current security group.

remoteRule controls where the Rule object is created if the peer is also a securityGroup and they are in different stack. If false (default) the rule object is created under the current SecurityGroup object. If true and the peer is also a SecurityGroup, the rule object is created under the remote SecurityGroup object.

Specified by:

addIngressRule in interface ISecurityGroup

Parameters:

peer - This parameter is required.

connection - This parameter is required.

description -

addIngressRule

@Stability(value=Experimental)
public void addIngressRule(@NotNull
                                                          IPeer peer,
                                                          @NotNull
                                                          Port connection)

(experimental) Add an ingress rule for the current security group.

remoteRule controls where the Rule object is created if the peer is also a securityGroup and they are in different stack. If false (default) the rule object is created under the current SecurityGroup object. If true and the peer is also a SecurityGroup, the rule object is created under the remote SecurityGroup object.

Specified by:

addIngressRule in interface ISecurityGroup

Parameters:

peer - This parameter is required.

connection - This parameter is required.

toEgressRuleConfig

@Stability(value=Experimental)
 @NotNull
public Object toEgressRuleConfig()

(experimental) Produce the egress rule JSON for the given connection.

Specified by:

toEgressRuleConfig in interface IPeer

toIngressRuleConfig

@Stability(value=Experimental)
 @NotNull
public Object toIngressRuleConfig()

(experimental) Produce the ingress rule JSON for the given connection.

Specified by:

toIngressRuleConfig in interface IPeer

getAllowAllOutbound

@Stability(value=Experimental)
 @NotNull
public Boolean getAllowAllOutbound()

(experimental) Whether the SecurityGroup has been configured to allow all outbound traffic.

Specified by:

getAllowAllOutbound in interface ISecurityGroup

getCanInlineRule

@Stability(value=Experimental)
 @NotNull
public Boolean getCanInlineRule()

(experimental) Whether the rule can be inlined into a SecurityGroup or not.

Specified by:

getCanInlineRule in interface IPeer

getConnections

@Stability(value=Experimental)
 @NotNull
public Connections getConnections()

Specified by:

getConnections in interface IConnectable

getSecurityGroupId

@Stability(value=Experimental)
 @NotNull
public String getSecurityGroupId()

(experimental) The ID of the security group.

Specified by:

getSecurityGroupId in interface ISecurityGroup

getSecurityGroupName

@Stability(value=Experimental)
 @NotNull
public String getSecurityGroupName()

(experimental) An attribute that represents the security group name.

getSecurityGroupVpcId

@Stability(value=Experimental)
 @NotNull
public String getSecurityGroupVpcId()

(experimental) The VPC ID this security group is part of.

getUniqueId

@Stability(value=Experimental)
 @NotNull
public String getUniqueId()

(experimental) A unique identifier for this connection peer.

Specified by:

getUniqueId in interface IPeer

getDefaultPort

@Stability(value=Experimental)
 @Nullable
public Port getDefaultPort()