使用没有默认 vpc 的 Lambda 将自定义 cidr 添加到入口安全组

Adding custom cidr to ingress security group using Lambda without default vpc

首先,我一直在搜索 stackflow 和互联网,但我没有找到问题的确切位置。

基本上我正在尝试通过 lambda 函数将自定义 cidr ips 添加到安全组。我已经授予了所有适当的权限(据我所知)[REMOVED]and also tried attaching the vpc (which is non-default) to the lambda function to access the security group[REMOVED].

但我得到 "An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user"

政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcs",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "wafv2:GetIPSet",
                "logs:CreateLogGroup",
                "wafv2:UpdateIPSet"
            ],
            "Resource": [
                "arn:aws:logs:us-west-2:xxxx:log-group:xxx:log-stream:*",
                "arn:aws:wafv2:us-west-2:xxx:*/ipset/*/*"
            ]
        }
    ]
}

Lambda 函数:

#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
    response = ec2.authorize_security_group_ingress(
    GroupId='sg-xxxxxxx'
    IpPermissions=[
        { 
            'FromPort': 443,
            'IpProtocol': 'tcp',
            'IpRanges': [
                {
                    'CidrIp': '1x.1x.x.1x/32',
                    'Description': 'adding test cidr using lambda'
                },
            ],
            'ToPort': 443
        }
        ],
        DryRun=True
    )
    return response

有人能给我指出正确的方向吗? VPC 是非默认的。我只需要在非默认 vpc

中向现有安全组添加入口规则

谢谢

找到解决方案:最初是语法错误,但在谷歌搜索后我认为它需要 vpc,所以我将 VPC 添加到 Lambda 配置中,这不是这个目的所必需的。 对于有同样问题的任何人(只想用 cidr 更新安全组):下面是正确的功能和权限(功能不完整,取决于您可能也想删除旧规则的解决方案):

Lambda 函数:

#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
    response = ec2.authorize_security_group_ingress(
        DryRun=False,
        GroupId='sg-0123456789',
        IpPermissions=[
            { 
                'FromPort': 443,
                'IpProtocol': 'tcp',
                'IpRanges': [
                    {
                        'CidrIp': '1x.2x.3x.4x/32',
                        'Description': 'Security group updated via lambda'
                    }
                ],
                'ToPort': 443
            }
        ]
    )
    return response

关于 lambda 执行角色的 IAM 策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:ModifySecurityGroupRules",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
            ],
            "Resource": "arn or all"
        }
    ]
}