AWS AWSEC2 documentation change
Summary
Restructured documentation with expanded CLI/PowerShell examples for modifying security groups, including adding/removing rules and modifying existing rules. Added concrete command syntax for security group operations.
Security assessment
The changes improve documentation for security group management (fundamental security controls), but there's no evidence of addressing a specific vulnerability. The additions demonstrate security feature usage rather than patching a security issue.
Diff
diff --git a/AWSEC2/latest/UserGuide/changing-security-group.md b/AWSEC2/latest/UserGuide/changing-security-group.md index 30aa148e4..8e121ef42 100644 --- a//AWSEC2/latest/UserGuide/changing-security-group.md +++ b//AWSEC2/latest/UserGuide/changing-security-group.md @@ -35 +35,4 @@ After you launch an instance, you can add or remove security groups from the lis -###### To change the security groups for an instance using the console +Console + + +###### To change the security groups for an instance @@ -52 +55,6 @@ To remove an already associated security group, choose **Remove** for that secur -###### To change the security groups for an instance using the command line +AWS CLI + + +###### To change the security groups for an instance + +Use the following [modify-instance-attribute](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-instance-attribute.html) command. @@ -54 +61,0 @@ To remove an already associated security group, choose **Remove** for that secur - * [modify-instance-attribute](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-instance-attribute.html) (AWS CLI) @@ -56 +63,3 @@ To remove an already associated security group, choose **Remove** for that secur - * [Edit-EC2InstanceAttribute](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceAttribute.html) (AWS Tools for Windows PowerShell) + aws ec2 modify-instance-attribute \ + --instance-id i-1234567890abcdef0 \ + --groups sg-1234567890abcdef0 @@ -57,0 +67 @@ To remove an already associated security group, choose **Remove** for that secur +PowerShell @@ -59,0 +70,8 @@ To remove an already associated security group, choose **Remove** for that secur +###### To change the security groups for an instance + +Use the following [Edit-EC2InstanceAttribute](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceAttribute.html) cmdlet. + + + Edit-EC2InstanceAttribute ` + -InstanceId i-1234567890abcdef0 ` + -Group sg-1234567890abcdef0 @@ -86 +104,4 @@ If you add inbound rules for ports 22 (SSH) or 3389 (RDP), we strongly recommend -###### To configure security group rules using the console +Console + + +###### To configure security group rules @@ -119 +140,59 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC -###### To configure security group rules using the AWS CLI +AWS CLI + + +###### To add security group rules + +Use the [authorize-security-group-ingress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html) command to add inbound rules. The following example allows inbound SSH traffic from the CIDR blocks in the specified prefix list. + + + aws ec2 authorize-security-group-ingress \ + --group-id sg-1234567890abcdef0 \ + --ip-permissions 'IpProtocol=tcp,FromPort=22,ToPort=22,PrefixListIds=[{PrefixListId=pl-f8a6439156EXAMPLE}]' + +Use the [authorize-security-group-egress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-egress.html) command to add outbound rules. The following example allows outbound TCP traffic on port 80 to instances with the specified security group. + + + aws ec2 authorize-security-group-egress \ + --group-id sg-1234567890abcdef0 \ + --ip-permissions 'IpProtocol=tcp,FromPort=80,ToPort=80,UserIdGroupPairs=[{GroupId=sg-0aad1c26bb6EXAMPLE}]' + +###### To remove security group rules + +Use the following [revoke-security-group-ingress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html) command to remove an inbound rule. + + + aws ec2 revoke-security-group-egress \ + --group id sg-1234567890abcdef0 \ + --security-group-rule-ids sgr-09ed298024EXAMPLE + +Use the following [revoke-security-group-egress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-egress.html) command to remove an outbound rule. + + + aws ec2 revoke-security-group-ingress \ + --group id sg-1234567890abcdef0 \ + --security-group-rule-ids sgr-0352250c1aEXAMPLE + +###### To modify security group rules + +Use the [modify-security-group-rules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-security-group-rules.html) command. The following example changes the IPv4 CIDR block of the specified security group rule. + + + aws ec2 modify-security-group-rules \ + --group id sg-1234567890abcdef0 \ + --security-group-rules 'SecurityGroupRuleId=sgr-09ed298024EXAMPLE,SecurityGroupRule={IpProtocol=tcp,FromPort=80,ToPort=80,CidrIpv4=0.0.0.0/0}' + +PowerShell + + +###### To add security group rules + +Use the [Grant-EC2SecurityGroupIngress](https://docs.aws.amazon.com/powershell/latest/reference/items/Grant-EC2SecurityGroupIngress.html) cmdlet to add inbound rules. The following example allows inbound SSH traffic from the CIDR blocks in the specified prefix list. + + + $plid = New-Object -TypeName Amazon.EC2.Model.PrefixListId + $plid.Id = "pl-f8a6439156EXAMPLE" + Grant-EC2SecurityGroupIngress ` + -GroupId sg-1234567890abcdef0 ` + -IpPermission @{IpProtocol="tcp"; FromPort=22; ToPort=22; PrefixListIds=$plid} + +Use the [Grant-EC2SecurityGroupEgress](https://docs.aws.amazon.com/powershell/latest/reference/items/Grant-EC2SecurityGroupEgress.html) cmdlet to add outbound rules. The following example allows outbound TCP traffic on port 80 to instances with the specified security group. @@ -121 +199,0 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC - * Add – Use the [authorize-security-group-ingress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html) and [authorize-security-group-egress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-egress.html) commands. @@ -123 +201,5 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC - * Remove – Use the [revoke-security-group-ingress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html) and [revoke-security-group-egress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-egress.html) commands. + $uigp = New-Object -TypeName Amazon.EC2.Model.UserIdGroupPair + $uigp.GroupId = "sg-0aad1c26bb6EXAMPLE" + Grant-EC2SecurityGroupEgress ` + -GroupId sg-1234567890abcdef0 ` + -IpPermission @{IpProtocol="tcp"; FromPort=80; ToPort=80; UserIdGroupPairs=$uigp} @@ -125 +207 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC - * Modify – Use the [modify-security-group-rules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-security-group-rules.html), [update-security-group-rule-descriptions-ingress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/update-security-group-rule-descriptions-ingress.html), and [update-security-group-rule-descriptions-egress](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/update-security-group-rule-descriptions-egress.html)commands. +###### To remove security group rules @@ -126,0 +209 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC +Use the following [Revoke-EC2SecurityGroupIngress](https://docs.aws.amazon.com/powershell/latest/reference/items/Revoke-EC2SecurityGroupIngress.html) cmdlet to remove inbound rules. @@ -128,0 +212,3 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC + Revoke-EC2SecurityGroupIngress ` + -GroupId sg-1234567890abcdef0 ` + -SecurityGroupRuleId sgr-09ed298024EXAMPLE @@ -130 +216 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC -###### To configure security group rules using the Tools for Windows PowerShell +Use the following [Revoke-EC2SecurityGroupEgress](https://docs.aws.amazon.com/powershell/latest/reference/items/Revoke-EC2SecurityGroupEgress.html) cmdlet to remove outbound rules. @@ -132 +217,0 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC - * Add – Use [Grant-EC2SecurityGroupIngress](https://docs.aws.amazon.com/powershell/latest/reference/items/Grant-EC2SecurityGroupIngress.html) and [Grant-EC2SecurityGroupEgress](https://docs.aws.amazon.com/powershell/latest/reference/items/Grant-EC2SecurityGroupEgress.html). @@ -134 +219,3 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC - * Remove – Use [Revoke-EC2SecurityGroupIngress](https://docs.aws.amazon.com/powershell/latest/reference/items/Revoke-EC2SecurityGroupIngress.html) and [Revoke-EC2SecurityGroupEgress](https://docs.aws.amazon.com/powershell/latest/reference/items/Revoke-EC2SecurityGroupEgress.html). + Revoke-EC2SecurityGroupEgress ` + -GroupId sg-1234567890abcdef0 ` + -SecurityGroupRuleId sgr-0352250c1aEXAMPLE @@ -136 +223 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC - * Modify – Use [Edit-EC2SecurityGroupRule](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2SecurityGroupRule.html), [Update-EC2SecurityGroupRuleIngressDescription](https://docs.aws.amazon.com/powershell/latest/reference/items/Update-EC2SecurityGroupRuleIngressDescription.html), and [Update-EC2SecurityGroupRuleEgressDescription](https://docs.aws.amazon.com/powershell/latest/reference/items/Update-EC2SecurityGroupRuleEgressDescription.html). +###### To modify security group rules @@ -137,0 +225 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC +Use the following [Edit-EC2SecurityGroupRule](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2SecurityGroupRule.html) cmdlet. The following example changes the IPv4 CIDR block of the specified security group rule. @@ -139,0 +228,11 @@ If the type is TCP or UDP, you must enter the port range to allow. For custom IC + $sgrr = New-Object -TypeName Amazon.EC2.Model.SecurityGroupRuleRequest + $sgrr.IpProtocol = "tcp" + $sgrr.FromPort = 80 + $sgrr.ToPort = 80 + $sgrr.CidrIpv4 = "0.0.0.0/0" + $sgr = New-Object -TypeName Amazon.EC2.Model.SecurityGroupRuleUpdate + $sgr.SecurityGroupRuleId = "sgr-09ed298024EXAMPLE" + $sgr.SecurityGroupRule = $sgrr + Edit-EC2SecurityGroupRule ` + -GroupId sg-1234567890abcdef0 ` + -SecurityGroupRule $sgr