Search code examples
amazon-web-servicesaws-cloudformationaws-security-group

How correctly externalize SecurityGroupEgress and SecurityGroupIngress in CloudFormation

With the below CloudFormation template I'm able to SSH into the EC2 instance.

PublicSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupName: PublicSecurityGroup
        GroupDescription: Public Security Group
        VpcId:
            Ref: Vpc
        SecurityGroupEgress:
            - IpProtocol: "-1"
                FromPort: 0
                ToPort: 65535
                CidrIp: 0.0.0.0/0
        SecurityGroupIngress:
            - IpProtocol: tcp
                FromPort: 22
                ToPort: 22
                CidrIp: 0.0.0.0/0
PublicEc2Instance:
    Type: AWS::EC2::Instance
    Properties:
        ImageId:
            Ref: ImageId
        InstanceType:
            Ref: InstanceType
        KeyName:
            Ref: KeyName
        SecurityGroupIds:
            - Fn::GetAtt:
                    - PublicSecurityGroup
                    - GroupId
        SubnetId:
            Ref: PublicSubnet
        Tags:
            - Key: Name
                Value: PublicEc2Instance

When I change the SecurityGroup definition to the below structure

PublicSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupName: PublicSecurityGroup
        GroupDescription: Public Security Group
        VpcId:
            Ref: Vpc
PublicOutboundRule1:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        SourceSecurityGroupId: !Ref PublicSecurityGroup
        IpProtocol: "-1"
        FromPort: 0
        ToPort: 65535
PublicInboundRule1:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        SourceSecurityGroupId: !Ref PublicSecurityGroup
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22

I'm not able to SSH in the EC2 instance any more.

Why does externalization of SecurityGroupEgress and SecurityGroupIngress blocks the SSH access to the EC2?

Thank you!

Solution

  • You restricted traffic in your ingress rule down to the PublicSecurityGroup in this line: SourceSecurityGroupId: !Ref PublicSecurityGroup Instead of SourceSecurityGroupId specify a CIDR block that you used in the upper yaml snippet:

    PublicSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupName: PublicSecurityGroup
        GroupDescription: Public Security Group
        VpcId:
            Ref: Vpc
PublicOutboundRule1:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        IpProtocol: "-1"
        FromPort: 0
        ToPort: 65535
        CidrIp: 0.0.0.0/0

PublicInboundRule1:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: 0.0.0.0/0

    Notice that I removed SourceSecurityGroupId from your Egress rule too, because Egress rules do not expect sources, they expect destinations (other SGs, CIDR blocks), because they are, well, egress :).