如何临时打开和关闭AWS安全组上某个IP的端口?
How to temporarily open and close a port to a certain IP on an AWS security group?
我想使用 aws cli 工具在备份过程开始前临时打开一个端口到某个 IP 地址,并在完成后关闭它。
我知道如何通过控制台执行此操作,但我找不到如何以编程方式执行此操作。
有谁知道我可以运行执行哪些命令?
我想写一个 shell 脚本来执行此操作并在备份之前启动它,所以我找到了一个 Circle CI Orb,其功能完全相同。但是,当我尝试使用 shell 脚本启动它时,出现错误。我不太擅长 shell 命令,所以也许有人可以告诉我我可以在下面修复什么?
AWS 的权限设置正确,所以我想我只需要在下面的脚本中做一些调整。
# Get the current IP of the AWS instance the script is launched from
LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)
IP="${IP-$LATEST_IP}"
if [[ "${IP}" == "" ]]; then
echo "Could not find your public IP"
exit 1
fi
# Get the security group ID
GROUPID=$(aws ec2 describe-security-groups --query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' --output table | grep << parameters.tag-value >> | awk '{print }') [[ -n "${GROUPID}" ]] || (echo "Could not determine Security Group ID" && exit 0);
# Adding Rule SSH to Your Security Group
echo Allowing << parameters.description >> to access port $PORT from IP
$IP to the security group $GROUPID
aws ec2 authorize-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp": "'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]'
# Closing the port
echo "Removing << parameters.description >> access from IP $IP to the security group $GROUPID"
# Delete IP rules matching port
aws ec2 revoke-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp":"'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]'
我修改了脚本,使其有效。但我认为它目前的形式没有多大用处。它只是将规则添加到 SG,然后立即将其删除。
我将 GROUPID=$(aws ec2 des ... 替换为仅要使用的 SG ID 值。
#!/bin/bash
# Get the current IP of the AWS instance the script is launched from
set -ex
LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)
IP="${IP-$LATEST_IP}"
if [[ "${IP}" == "" ]]; then
echo "Could not find your public IP"
exit 1
fi
echo ${IP}
# Get the security group ID
GROUPID="sg-0483809ca6b8e91d0" # change to your own SG
PORT_FROM=80
PORT_TO=80
MASK_IP="32"
DESCRIPTION="Some-description"
AWS_PROFILE="default" # AWS credentials profile to use
# Adding Rule SSH to Your Security Group
echo Allowing ${GROUPID} to access port $PORT from IP ${IP} to the security group $GROUPID
aws ec2 authorize-security-group-ingress \
--group-id $GROUPID \
--ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp": "'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \
--profile ${AWS_PROFILE}
# Closing the port
echo "Removing ${DESCRIPTION} access from IP $IP to the security group $GROUPID"
# Delete IP rules matching port
aws ec2 revoke-security-group-ingress \
--group-id $GROUPID \
--ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp":"'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \
--profile ${AWS_PROFILE}
示例输出:
++ wget -qO- http://checkip.amazonaws.com
+ LATEST_IP=<real-ip-value>
+ IP=<real-ip-value>
+ [[ <real-ip-value> == '' ]]
+ echo <real-ip-value>
<real-ip-value>
+ GROUPID=sg-0483809ca6b8e91d0
+ PORT_FROM=80
+ PORT_TO=80
+ MASK_IP=32
+ DESCRIPTION=Some-description
+ AWS_PROFILE=la
+ echo Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0
Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0
+ aws ec2 authorize-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la
+ echo 'Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0'
Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0
+ aws ec2 revoke-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp":"<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la
我想使用 aws cli 工具在备份过程开始前临时打开一个端口到某个 IP 地址,并在完成后关闭它。
我知道如何通过控制台执行此操作,但我找不到如何以编程方式执行此操作。
有谁知道我可以运行执行哪些命令?
我想写一个 shell 脚本来执行此操作并在备份之前启动它,所以我找到了一个 Circle CI Orb,其功能完全相同。但是,当我尝试使用 shell 脚本启动它时,出现错误。我不太擅长 shell 命令,所以也许有人可以告诉我我可以在下面修复什么?
AWS 的权限设置正确,所以我想我只需要在下面的脚本中做一些调整。
# Get the current IP of the AWS instance the script is launched from
LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)
IP="${IP-$LATEST_IP}"
if [[ "${IP}" == "" ]]; then
echo "Could not find your public IP"
exit 1
fi
# Get the security group ID
GROUPID=$(aws ec2 describe-security-groups --query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' --output table | grep << parameters.tag-value >> | awk '{print }') [[ -n "${GROUPID}" ]] || (echo "Could not determine Security Group ID" && exit 0);
# Adding Rule SSH to Your Security Group
echo Allowing << parameters.description >> to access port $PORT from IP
$IP to the security group $GROUPID
aws ec2 authorize-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp": "'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]'
# Closing the port
echo "Removing << parameters.description >> access from IP $IP to the security group $GROUPID"
# Delete IP rules matching port
aws ec2 revoke-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp":"'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]'
我修改了脚本,使其有效。但我认为它目前的形式没有多大用处。它只是将规则添加到 SG,然后立即将其删除。
我将 GROUPID=$(aws ec2 des ... 替换为仅要使用的 SG ID 值。
#!/bin/bash
# Get the current IP of the AWS instance the script is launched from
set -ex
LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)
IP="${IP-$LATEST_IP}"
if [[ "${IP}" == "" ]]; then
echo "Could not find your public IP"
exit 1
fi
echo ${IP}
# Get the security group ID
GROUPID="sg-0483809ca6b8e91d0" # change to your own SG
PORT_FROM=80
PORT_TO=80
MASK_IP="32"
DESCRIPTION="Some-description"
AWS_PROFILE="default" # AWS credentials profile to use
# Adding Rule SSH to Your Security Group
echo Allowing ${GROUPID} to access port $PORT from IP ${IP} to the security group $GROUPID
aws ec2 authorize-security-group-ingress \
--group-id $GROUPID \
--ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp": "'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \
--profile ${AWS_PROFILE}
# Closing the port
echo "Removing ${DESCRIPTION} access from IP $IP to the security group $GROUPID"
# Delete IP rules matching port
aws ec2 revoke-security-group-ingress \
--group-id $GROUPID \
--ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp":"'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \
--profile ${AWS_PROFILE}
示例输出:
++ wget -qO- http://checkip.amazonaws.com
+ LATEST_IP=<real-ip-value>
+ IP=<real-ip-value>
+ [[ <real-ip-value> == '' ]]
+ echo <real-ip-value>
<real-ip-value>
+ GROUPID=sg-0483809ca6b8e91d0
+ PORT_FROM=80
+ PORT_TO=80
+ MASK_IP=32
+ DESCRIPTION=Some-description
+ AWS_PROFILE=la
+ echo Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0
Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0
+ aws ec2 authorize-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la
+ echo 'Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0'
Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0
+ aws ec2 revoke-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp":"<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la