 | Documentation Feedback |  |
Adds a rule to a security group. Specifically, this either gives one or more CIDR IP address ranges permission to access a security group in your account, or gives one or more security groups (called the source groups) permission to access a security group in your account. A source group can be in your own AWS account, or another.
The permission is comprised of the IP protocol (TCP, UDP or ICMP) and the CIDR range or source group. For TCP and UDP, you also specify the source and destination port ranges; for ICMP, you also specify the ICMP types. You can use -1 as a wildcard for the ICMP type.
Permission changes are propagated to instances within the security group as quickly as possible. However, depending on the number of instances, a small delay might occur.
![[Caution]](images/caution.png) | Caution |
|---|---|
Adding hundreds of rules to a security group might cause problems when you access the instance. We recommend you condense your rules as much as possible. |
| Name | Description | Required |
|---|---|---|
|
|
Deprecated |
No |
|
|
Name of the group to modify. The name must be valid, and the group must belong to your account. Type: String Default: None |
Yes |
|
|
IP protocol. Type: String Valid Values: Default: None |
Yes |
|
|
Start of port range for the TCP and UDP protocols, or an ICMP type number. An ICMP type number of -1 indicates a wildcard (i.e., any ICMP type number). Type: Integer Default: None |
Yes |
|
|
End of port range for the TCP and UDP protocols, or an ICMP code. An ICMP code of -1 indicates a wildcard (i.e., any ICMP code). Type: Integer Default: None |
Yes |
|
|
AWS account ID that owns the source security group. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: Required if giving access to one or more source security groups. |
Conditional |
|
|
Name of the source security group. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: Required if giving access to one or more source security groups. |
Conditional |
|
|
CIDR range. Cannot be used when specifying a source security group. Type: String Default: None Constraints: Valid CIDR IP address range. Condition: Required if giving access to one or more IP address ranges. |
Conditional |
The elements in the following table come wrapped in an
AuthorizeSecurityGroupIngressResponse structure.
| Name | Description |
|---|---|
|
|
The ID of the request. Type: xsd:string |
|
|
Returns true if request is successful. Otherwise, returns an error. Type: xsd:boolean |
This example grants the 205.192.0.0/16 and 205.159.0.0/16 address ranges
access to your websrv security group on TCP port 80.
https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.IpRanges.1.CidrIp=205.192.0.0/16 &IpPermissions.1.IpRanges.2.CidrIp=205.159.0.0/16 &AuthParams
This example grants TCP port 80 access from the source group called
OtherAccountGroup (in AWS account 999988887777) to your websrv
security group.
https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.Groups.1.GroupName=OtherAccountGroup &IpPermissions.1.Groups.1.UserId=999988887777 &AuthParams
<AuthorizeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2010-08-31/"> <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId> <return>true</return> </AuthorizeSecurityGroupIngressResponse>
