使用aws cli从AWS中的安全组更新现有IP

时间:2020-06-26 10:06:18

标签: shell aws-cli aws-security-group

我有一个shell脚本,它将我的公共IP添加到指定的ec2-security-group。我浏览了一些AWS文档,找不到用于更新现有IP地址的Apis,而不是简单地添加一个。

我已经完成以下操作:

  1. update-security-group-rule-descriptions-ingress
  2. authorize-security-group-ingress

是否有一个可以简单地更新安全组中现有IP地址的api?

我正在使用以下bash脚本将新条目添加到安全组。

#!/bin/bash
curl v4.ifconfig.co > ip.txt
awk '{ print $0 "/32" }' < ip.txt > ipnew.txt
export stuff=$(cat ipnew.txt)
aws ec2 authorize-security-group-ingress --group-name XXXXX --protocol tcp --port 22 --cidr $stuff --profile xxxxx

3 个答案:

答案 0 :(得分:2)

此脚本将查找任何标有密钥 ssh-from-my-ip 和不区分大小写的值 trueyes 的安全组。然后它会撤销来自端口 22(如果有)的旧入口访问权限并授权您的新 IP CIDR。它需要 aws cli 和 jq。

#! /bin/bash

# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq


# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"

# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')

for p in $pairs
do
  SG=$(echo "$p" | jq -r '.sg')
  OLD_CIDR=$(echo "$p" | jq -r '.cidr')

  echo "Updating security group ${SG}"
  if [[ $OLD_CIDR != 'null' ]]
  then
    echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
    # remove the existing ingress permission
    aws ec2 revoke-security-group-ingress \
        --group-id "${SG}" \
        --protocol tcp \
        --port 22 \
        --cidr "${OLD_CIDR}"
  fi

  # authorize my new IP CIDR
  NEW_CIDR="${MY_IP}"/32
  echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
  aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done

答案 1 :(得分:1)

没有命令来“更新”规则。您将需要添加和删除规则。

这是我使用的类似脚本:

IP=`curl -s http://whatismyip.akamai.com/`
aws ec2 authorize-security-group-ingress --group-name XXX --protocol tcp --port 22 --cidr $IP/32 --output text

但是,这最终会添加太多规则,因此我需要删除现有规则。您可以在添加规则之前自动执行删除操作。

答案 2 :(得分:0)

我已经能够破解我的作品。正如约翰建议的那样,我创建了另一个安全组,添加了需要访问的端口,并通过shell脚本对其进行了更新。更新的过程是删除安全组中提到的所有规则,然后使用所需的IP重新添加它们。

源代码已发布在Github

相关问题
最新问题