如何添加引用另一个安全组的 cloudformation 安全组入口规则?
How do I add a cloudformation security group ingress rule that refers to another security group?
我在 yaml 模板中有以下安全组。我想让 "SecurityGroupApplication" 安全组允许来自 "SecurityGroupBastion" 的传入连接。但是,aws 客户端的验证模板功能告诉我无用的信息,例如 "unsupported structure"。好的,但是结构有什么问题?想法?
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: !Ref vpcId
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
如果您希望 SecurityGroupApplication 成为一个安全组,那么您应该使用 Type: AWS::EC2::SecurityGroup 而不是 Type: AWS::EC2::SecurityGroupIngress。这可能是您看到的 "unsupported structure" 错误的原因。
你的模板非常适合我,除了我必须为应用程序安全组指定端口:
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: vpc-abcd1234
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
FromPort: 22
ToPort: 22
只是如果有人陷入这个老问题,现在,有一种方法可以在 cloudformation 中引用跨账户 SG,所以如果你想添加一个指向另一个 AWS 账户的 SG 入口规则,只需添加密钥 SourceSecurityGroupOwnerId 和 account ID.
即
AWSTemplateFormatVersion: 2010-09-09
Resources:
TargetSG:
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: vpc-1a2b3c4d
GroupDescription: Security group allowing ingress for security scanners
InboundRule:
Type: 'AWS::EC2::SecurityGroupIngress'
Properties:
GroupId: !GetAtt TargetSG.GroupId
IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: sg-12345678 # SG in the other AWS account
SourceSecurityGroupOwnerId: '123456789012' # Account ID
我在 yaml 模板中有以下安全组。我想让 "SecurityGroupApplication" 安全组允许来自 "SecurityGroupBastion" 的传入连接。但是,aws 客户端的验证模板功能告诉我无用的信息,例如 "unsupported structure"。好的,但是结构有什么问题?想法?
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: !Ref vpcId
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
如果您希望 SecurityGroupApplication 成为一个安全组,那么您应该使用 Type: AWS::EC2::SecurityGroup 而不是 Type: AWS::EC2::SecurityGroupIngress。这可能是您看到的 "unsupported structure" 错误的原因。
你的模板非常适合我,除了我必须为应用程序安全组指定端口:
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: vpc-abcd1234
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
FromPort: 22
ToPort: 22
只是如果有人陷入这个老问题,现在,有一种方法可以在 cloudformation 中引用跨账户 SG,所以如果你想添加一个指向另一个 AWS 账户的 SG 入口规则,只需添加密钥 SourceSecurityGroupOwnerId 和 account ID.
即
AWSTemplateFormatVersion: 2010-09-09
Resources:
TargetSG:
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: vpc-1a2b3c4d
GroupDescription: Security group allowing ingress for security scanners
InboundRule:
Type: 'AWS::EC2::SecurityGroupIngress'
Properties:
GroupId: !GetAtt TargetSG.GroupId
IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: sg-12345678 # SG in the other AWS account
SourceSecurityGroupOwnerId: '123456789012' # Account ID