使用 aws cli 从 AWS 中的安全组更新现有 IP
[英]Updating Existing IPs from a Security Group in AWS using aws cli
问题描述
I have a shell script which adds my public ip to the specified ec2-security-group.
我有一个 shell 脚本,它将我的公共 ip 添加到指定的 ec2-security-group。 I've gone through some AWS docs and can't find which Apis to use to update existing IP address instead of simply adding one.我浏览了一些 AWS 文档,但找不到要使用哪个 Apis 来更新现有的 IP 地址,而不是简单地添加一个。
I've gone through the following:我经历了以下内容:
- update-security-group-rule-descriptions-ingress 更新安全组规则描述入口
- authorize-security-group-ingress 授权安全组入口
Is there an api which can be used to simply update the existing IP address in the security group?是否有一个api可以用来简单更新安全组中现有的IP地址?
I'm using the following bash script to add new entries to the security group.我正在使用以下 bash 脚本向安全组添加新条目。
#!/bin/bash
curl https://checkip.amazonaws.com > ip.txt
awk '{ print $0 "/32" }' < ip.txt > ipnew.txt
export stuff=$(cat ipnew.txt)
aws ec2 authorize-security-group-ingress --group-name XXXXX --protocol tcp --port 22 --cidr $stuff --profile xxxxx
5 个解决方案
解决方案1
3 2022-11-23 15:13:25
The command you're looking for is modify-security-group-rules : https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html您要查找的命令是modify-security-group-rules : https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html
Here is a script that uses it.这是一个使用它的脚本。
# update a security group rule allowing
# your current IPv4 I.P. to connect on port 22 (SSH)
CURRENT_DATE=$(date +'%Y-%m-%d')
# variables to identify sec group and sec group rule
SEC_GROUP_ID='sg-xxXXxx'
SEC_GROUP_RULE_ID='sgr-xxXXxxXXxxXX'
# description updated
SEC_GROUP_RULE_DESCRIPTION="dynamic ip updated - ${CURRENT_DATE}"
# gets I.P. and adds /32 for ipv4 cidr
CURRENT_IP=$(curl --silent https://checkip.amazonaws.com)
NEW_IPV4_CIDR="${CURRENT_IP}"/32
# updates the I.P. in the rule
aws ec2 modify-security-group-rules --group-id ${SEC_GROUP_ID} --security-group-rules SecurityGroupRuleId=${SEC_GROUP_RULE_ID},SecurityGroupRule="{CidrIpv4=${NEW_IPV4_CIDR}, IpProtocol=tcp,FromPort=22,ToPort=22,Description=${SEC_GROUP_RULE_DESCRIPTION}}"
# shows the rule updated
aws ec2 describe-security-group-rules --filter Name="security-group-rule-id",Values="${SEC_GROUP_RULE_ID}"
解决方案2
2 2020-06-27 02:15:22
There is no command to 'update' a rule.没有“更新”规则的命令。 You will need to add and remove rules.您将需要添加和删除规则。
Here's a similar script I use:这是我使用的类似脚本:
IP=`curl -s http://whatismyip.akamai.com/`
aws ec2 authorize-security-group-ingress --group-name XXX --protocol tcp --port 22 --cidr $IP/32 --output text
However, this eventually adds too many rules, so I then need to delete the existing rules.但是,这最终会添加太多规则,因此我需要删除现有规则。 You could automate that deletion before adding a rule.您可以在添加规则之前自动删除。
解决方案3
2 2021-02-08 20:40:43
This script will find any security groups tagged with the key ssh-from-my-ip and a case insensitive value of true or yes .此脚本将查找任何标记有密钥ssh-from-my-ip和不区分大小写的值true或yes的安全组。 It will then revoke the old ingress access from port 22 (if any) and authorize your new IP CIDR.然后,它将撤销端口 22(如果有)的旧入口访问权限,并授权您的新 IP CIDR。 It requires aws cli and jq.它需要 aws cli 和 jq。
#! /bin/bash
# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq
# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"
# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')
for p in $pairs
do
SG=$(echo "$p" | jq -r '.sg')
OLD_CIDR=$(echo "$p" | jq -r '.cidr')
echo "Updating security group ${SG}"
if [[ $OLD_CIDR != 'null' ]]
then
echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
# remove the existing ingress permission
aws ec2 revoke-security-group-ingress \
--group-id "${SG}" \
--protocol tcp \
--port 22 \
--cidr "${OLD_CIDR}"
fi
# authorize my new IP CIDR
NEW_CIDR="${MY_IP}"/32
echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done
解决方案4
0 已采纳 2020-06-28 10:45:14
I've been able to hack my way to make this work.我已经能够破解我的方式来完成这项工作。 As John Suggested, I've created another security group, added the ports which requires access and update it via the shell script.正如约翰建议的那样,我创建了另一个安全组,添加了需要访问的端口,并通过 shell 脚本对其进行更新。 The updation works as removing all the rules mentioned in the security group and adding them again with the IP required更新的工作原理是删除安全组中提到的所有规则并再次添加它们,需要 IP
解决方案5
0 2022-03-04 02:59:42
export my_ip=$(curl https://checkip.amazonaws.com )导出 my_ip=$(curl https://checkip.amazonaws.com )
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr $my_ip/32 aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr $my_ip/32
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.