Security_Group_Operations for the Amazon EC2 REST adapter

The following topic describes the adapter request and response for the Security_Group_Operations. 

Authorize Security Group Ingress operation 

The Authorize Security Group Ingress operation enables you to add permissions for a security group in Amazon EC2. 

The following figure shows the sample <items> XML element for the Authorize Security Group Ingress operation. 

Sample <items> XML element for the Authorize Security Group Ingress operation

<items>
    <item>
        <parameters>
            <group-name></group-name>
            <ip-permissions>
                <!-Zero or more repetition->
                <item>
                    <ip-protocol></ip-protocol>
                    <from-port></from-port>
                    <to-port></to-port>
                    <groups>
                        <!-Zero or more repetition->
                        <item>
                            <user-id></user-id>
                            <group-name></group-name>
                        </item>
                    </groups>
                    <ip-ranges>
                        <!-Zero or more repetition->
                        <item>
                            <cidr-ip></cidr-ip>
                        </item>
                    </ip-ranges>
                </item>
            </ip-permissions>
        </parameters>
    </item>
</items>

The following table shows the adapter request elements for the Authorize Security Group Ingress operation. 

Adapter request elements for the Authorize Security Group Ingress operation

Element

Definition

Required

<access-key>

Specifies the Amazon Web Services (AWS) access key

You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.

Conditional;

  • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
  • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
  • If only the Access Key is specified, the adapter ignores the value.
<secret-key>

Specifies the AWS secret access key

You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.

Conditional;

  • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
  • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
  • If only the Secret Access Key is specified, the adapter ignores the value.
<region>

Specifies the region with which you want the adapter to communicate

Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions.

Valid values:

  • us-east-1
  • us-west-2 (default)
  • us-west-1
  • eu-west-1
  • ap-southeast-1
  • ap-northeast-1
  • ap-southeast-2
  • sa-east-1
No

<operation-name>

Contains the name of the operation: authorize-security-group-ingress

Yes

<user-id>Specifies the user ID for the Amazon EC2 accountNo

<group-name>

Specifies the name of the security group to modify

The security group name must be valid and must belong to your Amazon EC2 account.

Yes

<ip-permissions>

Specifies the set of permissions for the security group 

The <ip-permissions> element has the following child elements:

  • <ip-protocol>
  • <from-port>
  • <to-port>
  • <groups>
  • <ip-ranges>

Yes

<ip-protocol>

Specifies the protocol to be used to revoke permissions from the specified security group 
Valid values: tcp, udp, icmp

Yes

<from-port>

Specifies the start of the port range for the TCP and UDP protocols, or an ICMP type number 
A value of -1 indicates a wild card (any ICMP code).

Yes

<to-port>

Specifies the end of the port range for the TCP and UDP protocols, or an ICMP type number 
A value of -1 indicates a wild card (any ICMP code).

Yes

<groups>

Specifies the list of security group and user-id pairs 

This element cannot be used to specify a CIDR IP address.

Yes

<ip-ranges>

Specifies the list of CIDR IP ranges

Yes

The following figure shows a sample adapter request for the Authorize Security Group Ingress operation. 

Sample adapter request for the Authorize Security Group Ingress operation

<amazon-ec2-rest-request>
    <access-key>AKIAI**********HQTRA</access-key>
    <secret-key>7Z8wlSJ41*******************ED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>authorize-security-group-ingress</operation-name>
    <parameters>
      <group-name>bmc1</group-name>
      <ip-permissions>
        <item>
          <ip-protocol>icmp</ip-protocol>
          <from-port>-1</from-port>
          <to-port>-1</to-port>
          <groups>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-17</group-name>
            </item>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-11</group-name>
            </item>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-4</group-name>
            </item>
          </groups>
          <ip-ranges />
        </item>
        <item>
          <ip-protocol>tcp</ip-protocol>
          <from-port>0</from-port>
          <to-port>22</to-port>
          <groups>
            <item>
              <user-id />
              <group-name />
            </item>
          </groups>
          <ip-ranges>
            <item>
              <cidr-ip>10.20.0.0/16</cidr-ip>
            </item>
          </ip-ranges>
        </item>
      </ip-permissions>
    </parameters>
</amazon-ec2-rest-request>

The following figure shows the response for the sample adapter request for the Authorize Security Group Ingress operation. 

Sample adapter response for the Authorize Security Group Ingress operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <AuthorizeSecurityGroupIngressResponse>
    <return>true</return>
  </AuthorizeSecurityGroupIngressResponse>
</amazon-ec2-rest-response>

Back to top

Create Security Group operation

The Create Security Group operation enables you to create a new security group. The security group name must be unique for each Amazon EC2 account. 

The following figure shows the sample <items> XML element for the Create Security Group operation. 

Sample <items> XML element for the Create Security Group operation

 <items>
    <item>
        <parameters>
            <group-name></group-name>
      	  <group-description></group-description>
        </parameters>
    </item>
</items>

The following table shows the adapter request elements for this request. 

Adapter request elements for the Create Security Group operation

Element

Definition

Required

<access-key>

Specifies the Amazon Web Services (AWS) access key

You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.

Conditional;

  • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
  • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
  • If only the Access Key is specified, the adapter ignores the value.
<secret-key>

Specifies the AWS secret access key

You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.

Conditional;

  • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
  • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
  • If only the Secret Access Key is specified, the adapter ignores the value.
<region>

Specifies the region with which you want the adapter to communicate

Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions.

Valid values:

  • us-east-1
  • us-west-2 (default)
  • us-west-1
  • eu-west-1
  • ap-southeast-1
  • ap-northeast-1
  • ap-southeast-2
  • sa-east-1
No

<operation-name>

Contains the name of the operation: create-security-group

Yes

<group-name>

Specifies the name of the security group

Valid values: alphanumeric characters, spaces, dashes, underscores

Yes

<group-description>

Specifies the description for the security group 

Valid values: alphanumeric characters, spaces, dashes, underscores

Yes

<vpc-id>Specifies the ID for the amazon web services Virtual Private Cloud in which you want to create the security_groupYes

The following figure shows a sample adapter request for the Create Security Group operation. 

Sample adapter request for the Create Security Group operation

<amazon-ec2-rest-request>
    <access-key>AKIAI**********HQTRA</access-key>
    <secret-key>7Z8wlSJ41***************FZWYVED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>create-security-group</operation-name>
    <parameters>
      <group-name>bmc2</group-name>
      <group-description>bmc2</group-description>
    </parameters>
  </amazon-ec2-rest-request>

The following figure shows the sample adapter response for the Create Security Group operation. 

Sample adapter response for the Create Security Group operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <CreateSecurityGroupResponse>
    <groupId>sg-827944b2</groupId>
    <return>true</return>
  </CreateSecurityGroupResponse>
</amazon-ec2-rest-response>

Back to top

Delete Security Group operation

The Delete Security Group operation enables you to delete a security group that you own. 

The following figure shows a sample <items> XML element for the Delete Security Group operation. 

Sample <items> XML element for the Delete Security Group operation

<items>
    <item>
        <parameters>
            <group-name></group-name>
        </parameters>
    </item>
</items>

The following table describes the adapter request elements for this request. 

Adapter request elements for the Delete Security Group operation

Element

Definition

Required

<access-key>

Specifies the Amazon Web Services (AWS) access key

You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.

Conditional;

  • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
  • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
  • If only the Access Key is specified, the adapter ignores the value.
<secret-key>

Specifies the AWS secret access key

You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.

Conditional;

  • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
  • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
  • If only the Secret Access Key is specified, the adapter ignores the value.
<region>

Specifies the region with which you want the adapter to communicate

Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions.

Valid values:

  • us-east-1
  • us-west-2 (default)
  • us-west-1
  • eu-west-1
  • ap-southeast-1
  • ap-northeast-1
  • ap-southeast-2
  • sa-east-1
No

<operation-name>

Contains the name of the operation: delete-security-group

Yes

<group-name>

Specifies the name of the security group that you want to delete

Yes

The following figure shows the sample adapter request for the Delete Security Group operation. 

Sample adapter request for the Delete Security Group operation

 <amazon-ec2-rest-request>
    <access-key>AKIAI**********HQTRA</access-key>
    <secret-key>7Z8wlSJ41***************FZWYVED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>delete-security-group</operation-name>
    <parameters>
      <group-name>bmc3</group-name>
    </parameters>
  </amazon-ec2-rest-request>
</request-data>

The following figure shows the sample adapter response for the Delete Security Group operation. 

Sample adapter response for the Delete Security Group operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <DeleteSecurityGroupResponse>
    <return>true</return>
  </DeleteSecurityGroupResponse>
</amazon-ec2-rest-response>

Back to top

Describe Security Groups operation 

The Describe Security Groups operations retrieves information about the security groups that you own. 

The following figure shows the sample <items> XML element for the Describe Security Groups operation. 

Sample <items> XML element for the Describe Security Groups operation

<items>
    <item>
        <parameters>
            <security-group-set>
                <!--Zero or more repetitions:-->
                <item>
                    <group-name></group-name>
                </item>
            </security-group-set>
        </parameters>
    </item>
</items>

The following table shows the adapter request elements for this request. 

Adapter request elements for the Describe Security Groups operation

Element

Definition

Required

<access-key>

Specifies the Amazon Web Services (AWS) access key

You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.

Conditional;

  • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
  • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
  • If only the Access Key is specified, the adapter ignores the value.
<secret-key>

Specifies the AWS secret access key

You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.

Conditional;

  • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
  • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
  • If only the Secret Access Key is specified, the adapter ignores the value.
<region>

Specifies the region with which you want the adapter to communicate

Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions.

Valid values:

  • us-east-1
  • us-west-2 (default)
  • us-west-1
  • eu-west-1
  • ap-southeast-1
  • ap-northeast-1
  • ap-southeast-2
  • sa-east-1
No

<operation-name>

Contains the name of the operation: describe-security-group

Yes

<security-group-set>

Specifies the set of security groups containing the name of the security groups to be described

Yes

The following figure shows a sample adapter request for the Describe Security Groups operation. 

Sample adapter request for the Describe Security Groups operation

<amazon-ec2-rest-request>
    <access-key>AKIAI*********HQTRA</access-key>
    <secret-key>7Z8wlSJ41***************FZWYVED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>describe-security-groups</operation-name>
    <parameters>
      <security-group-set>
        <item>
          <group-name>bmc1</group-name>
        </item>
        <item>
          <group-name>bmc2</group-name>
        </item>
      </security-group-set>
    </parameters>
</amazon-ec2-rest-request>

The following figure shows the response for the sample adapter response for the Describe Security Groups operation. 

Sample adapter response for the Describe Security Groups operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <DescribeSecurityGroupsResponse>
    <securityGroupInfo>
      <item>
        <ownerId>246495073671</ownerId>
        <groupId>sg-827944b2</groupId>
        <groupName>bmc2</groupName>
        <groupDescription>bmc2</groupDescription>
        <ipPermissions />
      </item>
      <item>
        <ownerId>246495073671</ownerId>
        <groupId>sg-a87e4398</groupId>
        <groupName>bmc1</groupName>
        <groupDescription>bmc1</groupDescription>
        <ipPermissions>
          <item>
            <ipProtocol>tcp</ipProtocol>
            <fromPort>0</fromPort>
            <toPort>65535</toPort>
            <groups />
            <ipRanges>
              <item>
                <cidrIp>0.0.0.0/0</cidrIp>
              </item>
            </ipRanges>
          </item>
          <item>
            <ipProtocol>icmp</ipProtocol>
            <fromPort>-1</fromPort>
            <toPort>-1</toPort>
            <groups />
            <ipRanges>
              <item>
                <cidrIp>0.0.0.0/0</cidrIp>
              </item>
            </ipRanges>
          </item>
        </ipPermissions>
      </item>
    </securityGroupInfo>
  </DescribeSecurityGroupsResponse>
</amazon-ec2-rest-response>

Back to top

Revoke Security Group Ingress operation

The Revoke Security Group Ingress operation enables you to revoke permissions from the specified security group. While revoking permissions, you must use the same values specified for granting the permissions.
The permissions for a security group are specified by:

  • IP protocol—TCP, UDP, or ICMP
  • Source of the request—IP range or an Amazon EC2 user-group pair
  • Source and destination port ranges for TCP and UDP
  • Codes and types for ICMP 

    The following figure shows the sample <items> XML element for the Revoke Security Group Ingress operation. 

    Sample <items> XML element for the Revoke Security Group Ingress operation

    <items>
    <item>
    <parameters>
    <user-id></user-id>
    <group-name></group-name>
    <ip-permissions>
    <!--Zero or more repetition-->
    <item>
    <ip-protocol></ip-protocol>
    <from-port></from-port>
    <to-port></to-port>
    <groups>
    <!--Zero or more repetition-->
    <item>
    <user-id></user-id>
    <group-name></group-name>
    </item>
    </groups>
    <ip-ranges>
    <!--Zero or more repetition-->
    <item>
    <cidr-ip></cidr-ip>
    </item>
    </ip-ranges>
    </item>
    </ip-permissions>
    </parameters>
    </item>
    </items>

    The following table shows the adapter request elements for the Revoke Security Group Ingress operation.


    Adapter request elements for the Revoke Security Group Ingress operation

    Element

    Definition

    Required

    <access-key>

    Specifies the Amazon Web Services (AWS) access key

    You need to generate the AWS access key by going to the Security Credentials tab in the AWS console.

    Conditional;

    • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
    • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
    • If only the Access Key is specified, the adapter ignores the value.
    <secret-key>

    Specifies the AWS secret access key

    You need to generate the AWS secret access key by going to the Security Credentials tab in the AWS console.

    Conditional;

    • You must specify the Access Key and theSecret Key together in the configuration or the adapter request.
    • If you specify both the keys in the adapter request and in the adapter configuration, the key values in the request override the values in the configuration.
    • If only the Secret Access Key is specified, the adapter ignores the value.
    <region>

    Specifies the region with which you want the adapter to communicate

    Amazon EC2 is hosted in multiple locations world-wide. You must specify the region in which you want the adapter to perform the actions.

    Valid values:

    • us-east-1
    • us-west-2 (default)
    • us-west-1
    • eu-west-1
    • ap-southeast-1
    • ap-northeast-1
    • ap-southeast-2
    • sa-east-1
    No

    <operation-name>

    Contains the name of the operation: revoke-security-group-ingress

    Yes

    <user-id>

    Specifies the Access Key ID for the Amazon web services

    No

    <group-name>

    Specifies the name of the security group to modify 
    The security group name must be valid and must belong to your Amazon EC2 account.

    Yes

    <ip-permissions>

    Specifies the set of permissions for the security group 
    The <ip-permissions> element has the following child elements:

    • <ip-protocol>
    • <from-port>
    • <to-port>
    • <groups>
    • <ip-ranges>
    • <user-id>

    Yes

    <ip-protocol>

    Specifies the protocol to be used to revoke permissions from the specified security group 
    Valid values: tcp, udp, icmp

    Yes

    <from-port>

    Specifies the start of the port range for the TCP and UDP protocols, or an ICMP type number 
    A value of -1 indicates a wild card (any ICMP code).

    Yes

    <to-port>

    Specifies the end of the port range for the TCP and UDP protocols, or an ICMP type number 
    A value of -1 indicates a wild card (any ICMP code).

    Yes

    <groups>

    Specifies the list of security group and user-id pairs 
    This element can not be used to specify a CIDR IP address.

    Yes

    <ip-ranges>

    Specifies the list of CIDR IP ranges

    Yes

    The following figure shows a sample adapter request for the Revoke Security Group Ingress operation. 

Sample adapter request for the Revoke Security Group Ingress operation

 <amazon-ec2-rest-request>
    <access-key>AKIAI**********HQTRA</access-key>
    <secret-key>7Z8wlSJ41****************ZWYVED8h3P223Q7</secret-key>
    <region>us-west-2</region>
    <operation-name>revoke-security-group-ingress</operation-name>
    <parameters>
      <user-id>246495073671</user-id>
      <group-name>bmc1</group-name>
      <ip-permissions>
        <item>
          <ip-protocol>icmp</ip-protocol>
          <from-port>-1</from-port>
          <to-port>-1</to-port>
          <groups>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-17</group-name>
            </item>
          </groups>
          <ip-ranges>
            <item>
              <cidr-ip />
            </item>
          </ip-ranges>
        </item>
        <item>
          <ip-protocol>tcp</ip-protocol>
          <from-port>0</from-port>
          <to-port>22</to-port>
          <groups>
            <item>
              <user-id>246495073671</user-id>
              <group-name>launch-wizard-4</group-name>
            </item>
          </groups>
          <ip-ranges>
            <item>
              <cidr-ip>10.20.0.0/16</cidr-ip>
            </item>
          </ip-ranges>
        </item>
      </ip-permissions>
    </parameters>
</amazon-ec2-rest-request>

The following figure shows the response for the sample adapter request for the Revoke Security Group Ingress operation. 

Sample adapter response for the Revoke Security Group Ingress operation

<amazon-ec2-rest-response>
  <metadata>
    <status>success</status>
  </metadata>
  <RevokeSecurityGroupIngressResponse>
    <return>true</return>
  </RevokeSecurityGroupIngressResponse>
</amazon-ec2-rest-response>

Back to top

Was this page helpful? Yes No Submitting... Thank you

Comments