使用 aws cli 从 AWS 中的安全组更新现有 IP
Updating Existing IPs from a Security Group in AWS using aws cli
我有一个 shell 脚本,它将我的 public ip 添加到指定的 ec2-security-group。我浏览了一些 AWS 文档,但找不到要使用哪个 API 来更新现有 IP 地址,而不是简单地添加一个。
我完成了以下操作:
有没有api可以用来简单更新安全组中现有IP地址的?
我正在使用以下 bash 脚本向安全组添加新条目。
#!/bin/bash
curl https://checkip.amazonaws.com > ip.txt
awk '{ print [=10=] "/32" }' < ip.txt > ipnew.txt
export stuff=$(cat ipnew.txt)
aws ec2 authorize-security-group-ingress --group-name XXXXX --protocol tcp --port 22 --cidr $stuff --profile xxxxx
没有'update'规则的命令。您将需要添加和删除规则。
这是我使用的类似脚本:
IP=`curl -s http://whatismyip.akamai.com/`
aws ec2 authorize-security-group-ingress --group-name XXX --protocol tcp --port 22 --cidr $IP/32 --output text
然而,这最终添加了太多的规则,所以我需要删除现有的规则。您可以在添加规则之前自动执行删除操作。
我已经能够破解我的方式来完成这项工作。正如 John 建议的那样,我创建了另一个安全组,添加了需要访问的端口并通过 shell 脚本更新它。更新的工作原理是删除安全组中提到的所有规则,然后使用所需的 IP 再次添加它们
源代码已发布在Github
此脚本将找到任何标记有键 ssh-from-my-ip 和不区分大小写的值 true 或 yes 的安全组。然后它将撤销来自端口 22(如果有)的旧入口访问并授权您的新 IP CIDR。它需要 aws cli 和 jq。
#! /bin/bash
# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq
# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"
# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')
for p in $pairs
do
SG=$(echo "$p" | jq -r '.sg')
OLD_CIDR=$(echo "$p" | jq -r '.cidr')
echo "Updating security group ${SG}"
if [[ $OLD_CIDR != 'null' ]]
then
echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
# remove the existing ingress permission
aws ec2 revoke-security-group-ingress \
--group-id "${SG}" \
--protocol tcp \
--port 22 \
--cidr "${OLD_CIDR}"
fi
# authorize my new IP CIDR
NEW_CIDR="${MY_IP}"/32
echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done
导出 my_ip=$(curl https://checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr $my_ip/32
我有一个 shell 脚本,它将我的 public ip 添加到指定的 ec2-security-group。我浏览了一些 AWS 文档,但找不到要使用哪个 API 来更新现有 IP 地址,而不是简单地添加一个。
我完成了以下操作:
有没有api可以用来简单更新安全组中现有IP地址的?
我正在使用以下 bash 脚本向安全组添加新条目。
#!/bin/bash
curl https://checkip.amazonaws.com > ip.txt
awk '{ print [=10=] "/32" }' < ip.txt > ipnew.txt
export stuff=$(cat ipnew.txt)
aws ec2 authorize-security-group-ingress --group-name XXXXX --protocol tcp --port 22 --cidr $stuff --profile xxxxx
没有'update'规则的命令。您将需要添加和删除规则。
这是我使用的类似脚本:
IP=`curl -s http://whatismyip.akamai.com/`
aws ec2 authorize-security-group-ingress --group-name XXX --protocol tcp --port 22 --cidr $IP/32 --output text
然而,这最终添加了太多的规则,所以我需要删除现有的规则。您可以在添加规则之前自动执行删除操作。
我已经能够破解我的方式来完成这项工作。正如 John 建议的那样,我创建了另一个安全组,添加了需要访问的端口并通过 shell 脚本更新它。更新的工作原理是删除安全组中提到的所有规则,然后使用所需的 IP 再次添加它们
源代码已发布在Github
此脚本将找到任何标记有键 ssh-from-my-ip 和不区分大小写的值 true 或 yes 的安全组。然后它将撤销来自端口 22(如果有)的旧入口访问并授权您的新 IP CIDR。它需要 aws cli 和 jq。
#! /bin/bash
# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq
# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"
# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')
for p in $pairs
do
SG=$(echo "$p" | jq -r '.sg')
OLD_CIDR=$(echo "$p" | jq -r '.cidr')
echo "Updating security group ${SG}"
if [[ $OLD_CIDR != 'null' ]]
then
echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
# remove the existing ingress permission
aws ec2 revoke-security-group-ingress \
--group-id "${SG}" \
--protocol tcp \
--port 22 \
--cidr "${OLD_CIDR}"
fi
# authorize my new IP CIDR
NEW_CIDR="${MY_IP}"/32
echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done
导出 my_ip=$(curl https://checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr $my_ip/32