我需要运行一个实例并使用我的IP地址访问..但问题是myISP每天都会更改我的IP地址.plz帮助我如何创建一个安全组,以便我的实例仍可访问,即使我的IP变化....
提前感谢..
答案 0 :(得分:2)
您可以使用0.0.0.0/0的源CIDR来允许通用访问。
您可以通过查找分配或仅监控最终的IP地址将其限制在ISP的地址空间。
要正确执行此操作并限制对单个IP动态地址的访问,您可以编写一个监视公共IP地址的应用程序,并在更改时调用EC2 API AuthorizeSecurityGroupIngress方法并使用RevokeSecurityGroupIngress删除旧地址。
答案 1 :(得分:1)
以下是将AWS安全组限制为SSH动态IP地址的方法。
你可以写一个cronjob来定期重复以下步骤:
22 答案 2 :(得分:0)
ssh-from-my-ip 和值 true 向安全组添加标签cron 定期运行)#! /bin/bash
# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq
# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"
# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')
for p in $pairs
do
SG=$(echo "$p" | jq -r '.sg')
OLD_CIDR=$(echo "$p" | jq -r '.cidr')
echo "Updating security group ${SG}"
if [[ $OLD_CIDR != 'null' ]]
then
echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
# remove the existing ingress permission
aws ec2 revoke-security-group-ingress \
--group-id "${SG}" \
--protocol tcp \
--port 22 \
--cidr "${OLD_CIDR}"
fi
# authorize my new IP CIDR
NEW_CIDR="${MY_IP}"/32
echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done
答案 3 :(得分:0)
#!/bin/bash
# User specific data:
SECURITY_GROUP_NAME="" # Setup here your group name
REGION=${1:-"us-east-1"} # Change default region if needed
USER=`aws iam get-user --query "User.UserName" | tr -d '"'`
RULE_DESCRIPTION='DynamicIP'$USER
echo 'User: '$RULE_DESCRIPTION', Region: '$REGION', Security group: '$SECURITY_GROUP_NAME
checkip () {
OLD_CIDR_IP=`aws ec2 describe-security-groups --region $REGION --query "SecurityGroups[?GroupName=='$SECURITY_GROUP_NAME'].IpPermissions[*].IpRanges[?Description=='$RULE_DESCRIPTION'].CidrIp" --output text`
NEW_IP=`curl -s http://checkip.amazonaws.com`
NEW_CIDR_IP=$NEW_IP'/32'
if [[ $OLD_CIDR_IP != "" ]] && [[ $OLD_CIDR_IP != $NEW_CIDR_IP ]]; then
echo "Revoking $OLD_CIDR_IP"
aws ec2 revoke-security-group-ingress --region $REGION --group-name $SECURITY_GROUP_NAME --protocol tcp --port 22 --cidr $OLD_CIDR_IP --output text >> /dev/null
fi
if [[ $NEW_IP != "" ]] && [[ $OLD_CIDR_IP != $NEW_CIDR_IP ]]; then
echo "Setting up new ip $NEW_IP"
aws ec2 authorize-security-group-ingress --region $REGION --group-name $SECURITY_GROUP_NAME --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'$NEW_CIDR_IP'", "Description": "'$RULE_DESCRIPTION'"}]}]'
fi
sleep 30
checkip
}
checkip