For those of you who are new or unfamiliar with security groups in Amazon Web Services (AWS), they are a virtual firewall for your Elastic Compute Cloud (EC2) instance to control inbound and outbound traffic. I will be looking at how we can create and view our security groups with PowerShell using the AWSPowerShell.NetCore module.

Before delving into creating security groups with PowerShell, it is worth noting their basics:

  • First, you are creating AWS security groups on the EC2 instance itself and not at the subnet level.
  • By default, a security group includes an outbound rule that allows all outbound traffic.
  • When creating rules, you can specify allowing them, but there is no deny feature.
  • You are creating rules for inbound and outbound traffic as separate rules.

These are just a handful of useful points to note. If you want to know more, refer to the AWS documentation.

Creating a new security group ^

To start, we will create a new security group in AWS. To do this, I'll be using New-EC2SecurityGroup. When we create the group, we need to come up with a friendly name to pass to the GroupName parameter. We add a Description to the group to make its purpose clear to others. Finally, we add our Virtual Private Cloud ID (VpcID) to indicate where we want to create the group. An example below shows all the above put together:

$NewGroup = @{
    GroupName   = 'RDPAccess'
    Description = "Security Group to allow RDP access to Windows"
    VpcId             = 'vpc-6d3h9253'
    Force             = $true
New-EC2SecurityGroup @NewGroup

When run, the output returned to the console is the new Group ID. Make a note of this, since you will need it for creating the rules. Note we are just creating the group here and not the rules. We'll do that next.

Adding rules to the security group ^

Now that we have our security group, RDPAccess, let's now add a rule to allow remote desktop access. I am going to show the finished code first and then break it down after:

Grant-EC2SecurityGroupIngress -GroupId 'sg-0137fcc58d5340ff0' -IpPermission @{
    IpProtocol="tcp"; FromPort="3389"; ToPort="3389"; IpRanges=""

The AWS cmdlet used for this is Grant-EC2SecurityGroupIngress. The word Ingress in network terms means "traffic toward you" (inbound). For Egress traffic (outbound) rules, you can use the Grant-EC2SecurityGroupEgress cmdlet.

For the example given, we are creating an inbound rule to allow remote desktop access. For the GroupId parameter, add your recently created Group ID. The Amazon documentation states here, "you must identify security groups for EC2-VPC using the security group ID not the security group name."

The IpPermission parameter takes a hash table. To view the key names, you can either look here at the documentation for the Amazon.EC2.Model.IpPermission object or you can initiate an instance of the object like so to view the available properties:

[Amazon.EC2.Model.IpPermission]::new() | Get-Member -MemberType Property
Viewing the instance properties available

Viewing the instance properties available

Viewing the security group details ^

To view the group details, use the Get-EC2SecurityGroup cmdlet. Since we are working with EC2-VPC, an instance run in a virtual private cloud, AWS doesn't allow searching on the GroupName without adding additional information, meaning we need to use the GroupId. As Amazon states, "Notice that you can't reference a security group for EC2-VPC by name."

To make it easier to search on the name, I've created a little function. The function takes a GroupName parameter and passes it to a Where-Object filter. Using the IpPermissions property, a Foreach loop goes through the group properties:

function Get-EC2SecurityGroupDetails {
    param (
        [string] $GroupName
    (Get-EC2SecurityGroup | Where-Object GroupName -EQ $GroupName).IpPermissions |
        ForEach-Object {
            IpProtocol = $_.IpProtocol
            FromPort   = $_.FromPort
            ToPort     = $_.ToPort
            Ipv4Ranges = $_.Ipv4Ranges.CidrIp -join ', '

I'll use it on our newly created group, RDPAccess:

Using the custom function Get EC2SecurityGroupDetails to view a security group

Using the custom function Get EC2SecurityGroupDetails to view a security group

The output from the function clearly shows our newly created group details.

Subscribe to 4sysops newsletter!

Summary ^

Working with security groups in AWS using PowerShell provides a useful way to automate their creation. You can create several rules at a time and even attach the security group to your EC2 instance. It's also worth remembering that we have been working with PowerShell Core, so if you are a Mac user, you can also use the code.

1 Comment
  1. Rajesh Routray 11 months ago


    Can you please help in to filter the security group with their TAG name .


    Thanking you


Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account