清除特定端口的AWS安全组规则

时间:2013-10-23 21:34:46

标签: amazon-web-services amazon-ec2

如何使用“aws ec2”删除给定端口的所有规则?

aws ec2 revoke-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 **--ALL-IP**

3 个答案:

答案 0 :(得分:3)

根据documentation,此命令适用于--cidr--source-group。所以,如果您有多个IP地址,那么我会说唯一的选择是为单个IP地址多次运行相同的命令(这将采用1.1.1.1/32的形式。)

或者,

您可以在文件中列出cidr格式(1.1.1.1/32)中的所有ipadress(新行上的每个IP地址),然后对每次迭代运行上面的命令运行for循环。 e.g。

for i in `cat ip_address_cidr.txt`; do aws ec2 revoke-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 $i; done

我没有测试过上面的命令语法,但是应该这样做,这样你就可以在单个单行命令中撤销规则。

答案 1 :(得分:1)

版本2中的

revoke-security-group-ingress使我们可以指定多个IP CIDRS。请参阅下面用PHP编写的解决方案,我正在尝试在多个区域和多个prot中进行清理。

要在单个命令中指定多个规则,请使用--ip-permissions选项https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html 

$cleanports = [22,5984];
$sgids = [["sgid"=>"sg1","region"=>"us-east-1"],["sgid"=>"sg1","region"=>"us-east-1"]];
foreach($sgids as $sgidDetail){
    $iprules = json_decode(shell_exec("/usr/bin/aws ec2 describe-security-groups --group-ids {$sgidDetail['sgid']} --region {$sgidDetail['region']} --query 'SecurityGroups[*].IpPermissions'"), true)[0];

    foreach ($iprules as $key => $ips) {
        if(!empty($ips['FromPort']) && !empty($ips['ToPort']) && in_array($ips['FromPort'], $cleanports) && in_array($ips['ToPort'], $cleanports)){
            echo "\n\n";
            echo shell_exec("/usr/bin/aws ec2 revoke-security-group-ingress --group-id {$sgidDetail['sgid']} --region {$sgidDetail['region']} --ip-permissions '".json_encode($ips)."'");
        }        
    }
}

答案 2 :(得分:0)

我认为这就是你要找的东西:How to Close All Open SSH Ports in AWS Security Groups

这是特定安全组的解决方案-id:

#!/bin/bash

sg = {security group}

# get the cidrs for the ingress rule
rules=$(aws ec2 describe-security-groups --group-ids $sg --output text --query 'SecurityGroups[*].IpPermissions')
# rules will contain something like:
# 22 tcp 22
# IPRANGES 108.42.177.53/32
# IPRANGES 10.0.0.0/16
# 80 tcp 80
# IPRANGES 0.0.0.0/0
# luckily, aws returns all ipranges per port grouped together

# flag for if we are reading ipranges
reading=0
# loop returned lines
while read -r line; do
    # split the line up
    rulebits=($line)
    # check if if we are reading ssh port ipranges
    if [ $reading -eq 0 ] ; then
        # we are not reading ipranges
        # check if '22 tcp 22'
        if [ ${rulebits[0]} == "22" ] && [ ${rulebits[1]} == "tcp" ] && [ ${rulebits[2]} == "22" ] ; then
            # found it
            reading=1           
        fi
    else
        # we are reading ipranges
        # check if first word is 'IPRANGES'
        if [ ${rulebits[0]} == "IPRANGES" ] ; then
            # found a cidr for open ssh port
            cidr=${rulebits[1]}
            echo -n found port 22 open cidr $cidr closing...
            # close it
            result=$(aws ec2 revoke-security-group-ingress --group-id $sg --protocol tcp --port 22 --cidr $cidr --output text)
            if [ "$result" == "true" ] ; then
                echo " OK"
            else
                echo " ERROR"
            fi
        else
            # new port
            reading=0       
        fi
    fi
done
相关问题
最新问题