使用没有默认 vpc 的 Lambda 将自定义 cidr 添加到入口安全组
Adding custom cidr to ingress security group using Lambda without default vpc
首先,我一直在搜索 stackflow 和互联网,但我没有找到问题的确切位置。
基本上我正在尝试通过 lambda 函数将自定义 cidr ips 添加到安全组。我已经授予了所有适当的权限(据我所知)[REMOVED]and also tried attaching the vpc (which is non-default) to the lambda function to access the security group[REMOVED].
但我得到 "An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user"
政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"wafv2:GetIPSet",
"logs:CreateLogGroup",
"wafv2:UpdateIPSet"
],
"Resource": [
"arn:aws:logs:us-west-2:xxxx:log-group:xxx:log-stream:*",
"arn:aws:wafv2:us-west-2:xxx:*/ipset/*/*"
]
}
]
}
Lambda 函数:
#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
response = ec2.authorize_security_group_ingress(
GroupId='sg-xxxxxxx'
IpPermissions=[
{
'FromPort': 443,
'IpProtocol': 'tcp',
'IpRanges': [
{
'CidrIp': '1x.1x.x.1x/32',
'Description': 'adding test cidr using lambda'
},
],
'ToPort': 443
}
],
DryRun=True
)
return response
有人能给我指出正确的方向吗? VPC 是非默认的。我只需要在非默认 vpc
中向现有安全组添加入口规则
谢谢
找到解决方案:最初是语法错误,但在谷歌搜索后我认为它需要 vpc,所以我将 VPC 添加到 Lambda 配置中,这不是这个目的所必需的。
对于有同样问题的任何人(只想用 cidr 更新安全组):下面是正确的功能和权限(功能不完整,取决于您可能也想删除旧规则的解决方案):
Lambda 函数:
#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
response = ec2.authorize_security_group_ingress(
DryRun=False,
GroupId='sg-0123456789',
IpPermissions=[
{
'FromPort': 443,
'IpProtocol': 'tcp',
'IpRanges': [
{
'CidrIp': '1x.2x.3x.4x/32',
'Description': 'Security group updated via lambda'
}
],
'ToPort': 443
}
]
)
return response
关于 lambda 执行角色的 IAM 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
],
"Resource": "arn or all"
}
]
}
首先,我一直在搜索 stackflow 和互联网,但我没有找到问题的确切位置。
基本上我正在尝试通过 lambda 函数将自定义 cidr ips 添加到安全组。我已经授予了所有适当的权限(据我所知)[REMOVED]and also tried attaching the vpc (which is non-default) to the lambda function to access the security group[REMOVED].
但我得到 "An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user"
政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"wafv2:GetIPSet",
"logs:CreateLogGroup",
"wafv2:UpdateIPSet"
],
"Resource": [
"arn:aws:logs:us-west-2:xxxx:log-group:xxx:log-stream:*",
"arn:aws:wafv2:us-west-2:xxx:*/ipset/*/*"
]
}
]
}
Lambda 函数:
#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
response = ec2.authorize_security_group_ingress(
GroupId='sg-xxxxxxx'
IpPermissions=[
{
'FromPort': 443,
'IpProtocol': 'tcp',
'IpRanges': [
{
'CidrIp': '1x.1x.x.1x/32',
'Description': 'adding test cidr using lambda'
},
],
'ToPort': 443
}
],
DryRun=True
)
return response
有人能给我指出正确的方向吗? VPC 是非默认的。我只需要在非默认 vpc
中向现有安全组添加入口规则谢谢
找到解决方案:最初是语法错误,但在谷歌搜索后我认为它需要 vpc,所以我将 VPC 添加到 Lambda 配置中,这不是这个目的所必需的。 对于有同样问题的任何人(只想用 cidr 更新安全组):下面是正确的功能和权限(功能不完整,取决于您可能也想删除旧规则的解决方案):
Lambda 函数:
#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
response = ec2.authorize_security_group_ingress(
DryRun=False,
GroupId='sg-0123456789',
IpPermissions=[
{
'FromPort': 443,
'IpProtocol': 'tcp',
'IpRanges': [
{
'CidrIp': '1x.2x.3x.4x/32',
'Description': 'Security group updated via lambda'
}
],
'ToPort': 443
}
]
)
return response
关于 lambda 执行角色的 IAM 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
],
"Resource": "arn or all"
}
]
}