Security_Group_Operations for the Amazon EC2 REST adapter

The following topic describes the adapter request and response for the Security_Group_Operations.

Authorize Security Group Ingress operation

The Authorize Security Group Ingress operation enables you to add permissions for a security group in Amazon EC2.

The following figure shows the sample <items> XML element for the Authorize Security Group Ingress operation.

Sample <items> XML element for the Authorize Security Group Ingress operation

<items>
    <item>
        <parameters>
            <group-name></group-name>
            <ip-permissions>
                <!-Zero or more repetition->
                <item>
                    <ip-protocol></ip-protocol>
                    <from-port></from-port>
                    <to-port></to-port>
                    <groups>
                        <!-Zero or more repetition->
                        <item>
                            <user-id></user-id>
                            <group-name></group-name>
                        </item>
                    </groups>
                    <ip-ranges>
                        <!-Zero or more repetition->
                        <item>
                            <cidr-ip></cidr-ip>
                        </item>
                    </ip-ranges>
                </item>
            </ip-permissions>
        </parameters>
    </item>
</items>

The following table shows the adapter request elements for the Authorize Security Group Ingress operation.

Adapter request elements for the Authorize Security Group Ingress operation

Element	Definition	Required
`<access-key>`	Specifies the Amazon Web Services (AWS) access key You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Access Key is specified, the adapter ignores the value.
`<secret-key>`	Specifies the AWS secret access key You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Secret Access Key is specified, the adapter ignores the value.
`<region>`	Specifies the region with which you want the adapter to communicate Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions. Valid values: us-east-1 us-west-2 (default) us-west-1 eu-west-1 ap-southeast-1 ap-northeast-1 ap-southeast-2 sa-east-1	No
`<operation-name>`	Contains the name of the operation: authorize-security-group-ingress	Yes
`<user-id>`	Specifies the user ID for the Amazon EC2 account	No
`<group-name>`	Specifies the name of the security group to modify The security group name must be valid and must belong to your Amazon EC2 account.	Yes
`<ip-permissions>`	Specifies the set of permissions for the security group The `<ip-permissions>` element has the following child elements: `<ip-protocol>` `<from-port>` `<to-port>` `<groups>` `<ip-ranges>`	Yes
`<ip-protocol>`	Specifies the protocol to be used to revoke permissions from the specified security group Valid values: tcp, udp, icmp	Yes
`<from-port>`	Specifies the start of the port range for the TCP and UDP protocols, or an ICMP type number A value of -1 indicates a wild card (any ICMP code).	Yes
`<to-port>`	Specifies the end of the port range for the TCP and UDP protocols, or an ICMP type number A value of -1 indicates a wild card (any ICMP code).	Yes
`<groups>`	Specifies the list of security group and user-id pairs This element cannot be used to specify a CIDR IP address.	Yes
`<ip-ranges>`	Specifies the list of CIDR IP ranges	Yes

The following figure shows a sample adapter request for the Authorize Security Group Ingress operation.

Sample adapter request for the Authorize Security Group Ingress operation

<amazon-ec2-rest-request>
    <access-key>AKIAI**********HQTRA</access-key>
    <secret-key>7Z8wlSJ41*******************ED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>authorize-security-group-ingress</operation-name>
    <parameters>
      <group-name>bmc1</group-name>
      <ip-permissions>
        <item>
          <ip-protocol>icmp</ip-protocol>
          <from-port>-1</from-port>
          <to-port>-1</to-port>
          <groups>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-17</group-name>
            </item>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-11</group-name>
            </item>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-4</group-name>
            </item>
          </groups>
          <ip-ranges />
        </item>
        <item>
          <ip-protocol>tcp</ip-protocol>
          <from-port>0</from-port>
          <to-port>22</to-port>
          <groups>
            <item>
              <user-id />
              <group-name />
            </item>
          </groups>
          <ip-ranges>
            <item>
              <cidr-ip>10.20.0.0/16</cidr-ip>
            </item>
          </ip-ranges>
        </item>
      </ip-permissions>
    </parameters>
</amazon-ec2-rest-request>

The following figure shows the response for the sample adapter request for the Authorize Security Group Ingress operation.

Sample adapter response for the Authorize Security Group Ingress operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <AuthorizeSecurityGroupIngressResponse>
    <return>true</return>
  </AuthorizeSecurityGroupIngressResponse>
</amazon-ec2-rest-response>

Back to top

Create Security Group operation

The Create Security Group operation enables you to create a new security group. The security group name must be unique for each Amazon EC2 account.

The following figure shows the sample <items> XML element for the Create Security Group operation.

Sample <items> XML element for the Create Security Group operation

 <items>
    <item>
        <parameters>
            <group-name></group-name>
      	  <group-description></group-description>
        </parameters>
    </item>
</items>

The following table shows the adapter request elements for this request.

Adapter request elements for the Create Security Group operation

Element	Definition	Required
`<access-key>`	Specifies the Amazon Web Services (AWS) access key You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Access Key is specified, the adapter ignores the value.
`<secret-key>`	Specifies the AWS secret access key You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Secret Access Key is specified, the adapter ignores the value.
`<region>`	Specifies the region with which you want the adapter to communicate Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions. Valid values: us-east-1 us-west-2 (default) us-west-1 eu-west-1 ap-southeast-1 ap-northeast-1 ap-southeast-2 sa-east-1	No
`<operation-name>`	Contains the name of the operation: create-security-group	Yes
`<group-name>`	Specifies the name of the security group Valid values: alphanumeric characters, spaces, dashes, underscores	Yes
`<group-description>`	Specifies the description for the security group Valid values: alphanumeric characters, spaces, dashes, underscores	Yes
`<vpc-id>`	Specifies the ID for the amazon web services Virtual Private Cloud in which you want to create the security_group	Yes

The following figure shows a sample adapter request for the Create Security Group operation.

Sample adapter request for the Create Security Group operation

<amazon-ec2-rest-request>
    <access-key>AKIAI**********HQTRA</access-key>
    <secret-key>7Z8wlSJ41***************FZWYVED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>create-security-group</operation-name>
    <parameters>
      <group-name>bmc2</group-name>
      <group-description>bmc2</group-description>
    </parameters>
  </amazon-ec2-rest-request>

The following figure shows the sample adapter response for the Create Security Group operation.

Sample adapter response for the Create Security Group operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <CreateSecurityGroupResponse>
    <groupId>sg-827944b2</groupId>
    <return>true</return>
  </CreateSecurityGroupResponse>
</amazon-ec2-rest-response>

Back to top

Delete Security Group operation

The Delete Security Group operation enables you to delete a security group that you own.

The following figure shows a sample <items> XML element for the Delete Security Group operation.

Sample <items> XML element for the Delete Security Group operation

<items>
    <item>
        <parameters>
            <group-name></group-name>
        </parameters>
    </item>
</items>

The following table describes the adapter request elements for this request.

Adapter request elements for the Delete Security Group operation

Element	Definition	Required
`<access-key>`	Specifies the Amazon Web Services (AWS) access key You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Access Key is specified, the adapter ignores the value.
`<secret-key>`	Specifies the AWS secret access key You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Secret Access Key is specified, the adapter ignores the value.
`<region>`	Specifies the region with which you want the adapter to communicate Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions. Valid values: us-east-1 us-west-2 (default) us-west-1 eu-west-1 ap-southeast-1 ap-northeast-1 ap-southeast-2 sa-east-1	No
`<operation-name>`	Contains the name of the operation: delete-security-group	Yes
`<group-name>`	Specifies the name of the security group that you want to delete	Yes

The following figure shows the sample adapter request for the Delete Security Group operation.

Sample adapter request for the Delete Security Group operation

 <amazon-ec2-rest-request>
    <access-key>AKIAI**********HQTRA</access-key>
    <secret-key>7Z8wlSJ41***************FZWYVED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>delete-security-group</operation-name>
    <parameters>
      <group-name>bmc3</group-name>
    </parameters>
  </amazon-ec2-rest-request>
</request-data>

The following figure shows the sample adapter response for the Delete Security Group operation.

Sample adapter response for the Delete Security Group operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <DeleteSecurityGroupResponse>
    <return>true</return>
  </DeleteSecurityGroupResponse>
</amazon-ec2-rest-response>

Back to top

Describe Security Groups operation

The Describe Security Groups operations retrieves information about the security groups that you own.

The following figure shows the sample <items> XML element for the Describe Security Groups operation.

Sample <items> XML element for the Describe Security Groups operation

<items>
    <item>
        <parameters>
            <security-group-set>
                <!--Zero or more repetitions:-->
                <item>
                    <group-name></group-name>
                </item>
            </security-group-set>
        </parameters>
    </item>
</items>

The following table shows the adapter request elements for this request.

Adapter request elements for the Describe Security Groups operation

Element	Definition	Required
`<access-key>`	Specifies the Amazon Web Services (AWS) access key You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Access Key is specified, the adapter ignores the value.
`<secret-key>`	Specifies the AWS secret access key You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Secret Access Key is specified, the adapter ignores the value.
`<region>`	Specifies the region with which you want the adapter to communicate Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions. Valid values: us-east-1 us-west-2 (default) us-west-1 eu-west-1 ap-southeast-1 ap-northeast-1 ap-southeast-2 sa-east-1	No
`<operation-name>`	Contains the name of the operation: describe-security-group	Yes
`<security-group-set>`	Specifies the set of security groups containing the name of the security groups to be described	Yes

The following figure shows a sample adapter request for the Describe Security Groups operation.

Sample adapter request for the Describe Security Groups operation

<amazon-ec2-rest-request>
    <access-key>AKIAI*********HQTRA</access-key>
    <secret-key>7Z8wlSJ41***************FZWYVED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>describe-security-groups</operation-name>
    <parameters>
      <security-group-set>
        <item>
          <group-name>bmc1</group-name>
        </item>
        <item>
          <group-name>bmc2</group-name>
        </item>
      </security-group-set>
    </parameters>
</amazon-ec2-rest-request>

The following figure shows the response for the sample adapter response for the Describe Security Groups operation.

Sample adapter response for the Describe Security Groups operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <DescribeSecurityGroupsResponse>
    <securityGroupInfo>
      <item>
        <ownerId>246495073671</ownerId>
        <groupId>sg-827944b2</groupId>
        <groupName>bmc2</groupName>
        <groupDescription>bmc2</groupDescription>
        <ipPermissions />
      </item>
      <item>
        <ownerId>246495073671</ownerId>
        <groupId>sg-a87e4398</groupId>
        <groupName>bmc1</groupName>
        <groupDescription>bmc1</groupDescription>
        <ipPermissions>
          <item>
            <ipProtocol>tcp</ipProtocol>
            <fromPort>0</fromPort>
            <toPort>65535</toPort>
            <groups />
            <ipRanges>
              <item>
                <cidrIp>0.0.0.0/0</cidrIp>
              </item>
            </ipRanges>
          </item>
          <item>
            <ipProtocol>icmp</ipProtocol>
            <fromPort>-1</fromPort>
            <toPort>-1</toPort>
            <groups />
            <ipRanges>
              <item>
                <cidrIp>0.0.0.0/0</cidrIp>
              </item>
            </ipRanges>
          </item>
        </ipPermissions>
      </item>
    </securityGroupInfo>
  </DescribeSecurityGroupsResponse>
</amazon-ec2-rest-response>

Back to top

Revoke Security Group Ingress operation

The Revoke Security Group Ingress operation enables you to revoke permissions from the specified security group. While revoking permissions, you must use the same values specified for granting the permissions.
The permissions for a security group are specified by:

IP protocol—TCP, UDP, or ICMP
Source of the request—IP range or an Amazon EC2 user-group pair
Source and destination port ranges for TCP and UDP

Codes and types for ICMP

The following figure shows the sample <items> XML element for the Revoke Security Group Ingress operation.

Sample <items> XML element for the Revoke Security Group Ingress operation

<items>
<item>
<parameters>
<user-id></user-id>
<group-name></group-name>
<ip-permissions>
<!--Zero or more repetition-->
<item>
<ip-protocol></ip-protocol>
<from-port></from-port>
<to-port></to-port>
<groups>
<!--Zero or more repetition-->
<item>
<user-id></user-id>
<group-name></group-name>
</item>
</groups>
<ip-ranges>
<!--Zero or more repetition-->
<item>
<cidr-ip></cidr-ip>
</item>
</ip-ranges>
</item>
</ip-permissions>
</parameters>
</item>
</items>

The following table shows the adapter request elements for the Revoke Security Group Ingress operation.

Adapter request elements for the Revoke Security Group Ingress operation

Element	Definition	Required
`<access-key>`	Specifies the Amazon Web Services (AWS) access key You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Access Key is specified, the adapter ignores the value.
`<secret-key>`	Specifies the AWS secret access key You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.	Conditional; You must specify the Access Key and theSecret Key together in the configuration or the adapter request. If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration. If only the Secret Access Key is specified, the adapter ignores the value.
`<region>`	Specifies the region with which you want the adapter to communicate Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions. Valid values: us-east-1 us-west-2 (default) us-west-1 eu-west-1 ap-southeast-1 ap-northeast-1 ap-southeast-2 sa-east-1	No
`<operation-name>`	Contains the name of the operation: revoke-security-group-ingress	Yes
`<user-id>`	Specifies the Access Key ID for the Amazon web services	No
`<group-name>`	Specifies the name of the security group to modify The security group name must be valid and must belong to your Amazon EC2 account.	Yes
`<ip-permissions>`	Specifies the set of permissions for the security group The `<ip-permissions>` element has the following child elements: `<ip-protocol>` `<from-port>` `<to-port>` `<groups>` `<ip-ranges>` `<user-id>`	Yes
`<ip-protocol>`	Specifies the protocol to be used to revoke permissions from the specified security group Valid values: tcp, udp, icmp	Yes
`<from-port>`	Specifies the start of the port range for the TCP and UDP protocols, or an ICMP type number A value of -1 indicates a wild card (any ICMP code).	Yes
`<to-port>`	Specifies the end of the port range for the TCP and UDP protocols, or an ICMP type number A value of -1 indicates a wild card (any ICMP code).	Yes
`<groups>`	Specifies the list of security group and user-id pairs This element can not be used to specify a CIDR IP address.	Yes
`<ip-ranges>`	Specifies the list of CIDR IP ranges	Yes

The following figure shows a sample adapter request for the Revoke Security Group Ingress operation.

Sample adapter request for the Revoke Security Group Ingress operation

 <amazon-ec2-rest-request>
    <access-key>AKIAI**********HQTRA</access-key>
    <secret-key>7Z8wlSJ41****************ZWYVED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>revoke-security-group-ingress</operation-name>
    <parameters>
      <user-id>246495073671</user-id>
      <group-name>bmc1</group-name>
      <ip-permissions>
        <item>
          <ip-protocol>icmp</ip-protocol>
          <from-port>-1</from-port>
          <to-port>-1</to-port>
          <groups>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-17</group-name>
            </item>
          </groups>
          <ip-ranges>
            <item>
              <cidr-ip />
            </item>
          </ip-ranges>
        </item>
        <item>
          <ip-protocol>tcp</ip-protocol>
          <from-port>0</from-port>
          <to-port>22</to-port>
          <groups>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-4</group-name>
            </item>
          </groups>
          <ip-ranges>
            <item>
              <cidr-ip>10.20.0.0/16</cidr-ip>
            </item>
          </ip-ranges>
        </item>
      </ip-permissions>
    </parameters>
</amazon-ec2-rest-request>

The following figure shows the response for the sample adapter request for the Revoke Security Group Ingress operation.

Sample adapter response for the Revoke Security Group Ingress operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <RevokeSecurityGroupIngressResponse>
    <return>true</return>
  </RevokeSecurityGroupIngressResponse>
</amazon-ec2-rest-response>

Back to top

Security_Group_Operations for the Amazon EC2 REST adapter

Authorize Security Group Ingress operation

Create Security Group operation

Delete Security Group operation

Describe Security Groups operation

Revoke Security Group Ingress operation

Comments