Question

是否存在aws-cli，以便列出API网关中与安全组类似的所有打开的端口，如此处https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html所述：

aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=22 Name=ip-permission.to-port,Values=22 Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName}"

API网关中的策略的定义如下How to allow only an IP/range access to AWS API Gateway resources：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account_idA>:user/<user>",
                    "arn:aws:iam::<account_idA>:root"
                ]
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:<account_idB>:qxz8y9c8a4/*/*/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:<account_idB>:qxz8y9c8a4/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "0.0.0.0/0"
                }
            }
        }
    ]
}

一种解决方案可能是对查询使用list-policies-for-target，但如何找到网关等？

Answer 1

我认为这可以做到

airflow next_execution [-h] [-sd SUBDIR] dag_id

您可以进一步修改grep命令以返回接受或拒绝的值。

如何列出所有允许IP范围到任何地方的网关？

1 个答案: