堆栈内存溢出
  简体   繁体   English

如何识别允许哪些 IP 范围访问 RDS 实例

[英]How to identify which IP-ranges are allowed to access an RDS instance

 原文  2021-06-08 09:09:54       amazon-web-services/ boto3/ amazon-rds/ amazon-vpc

问题描述

We have a RDS instance in one of our VPCs.我们的一个 VPC 中有一个 RDS 实例。 We have 3 private and 3 public subnets within this VPC and the the db instance is attached to all 3 private subnets.我们在这个 VPC 中有 3 个私有子网和 3 个公有子网,并且数据库实例附加到所有 3 个私有子网。 We also have 2 separate VPCs where one is connected to the first one via site to site vpn and the other is via a peering connection.我们还有 2 个独立的 VPC,其中一个通过站点到站点 vpn 连接到第一个,另一个通过对等连接。

How can I identify the IPs which are allowed to access the RDS instance?如何识别允许访问 RDS 实例的 IP?

I have to get this information using python boto3.我必须使用 python boto3 获取此信息。 Any idea?任何想法?

1 个解决方案

解决方案1
 0  2021-06-08 09:37:50

Getting the exact IP-Ranges is a bit tricky, but essentially this is determined by the security groups that are assigned to the DB instance.获得准确的 IP 范围有点棘手,但本质上这是由分配给数据库实例的安全组决定的。

Here is a script that lists the inbound rules of all security groups of the DB instance "test-db":这是一个脚本,列出了数据库实例“test-db”的所有安全组的入站规则:

import boto3

def main():
    
    db_instance_identifier = "test-db"

    rds_client = boto3.client("rds")

    db_instances = rds_client.describe_db_instances(
        DBInstanceIdentifier=db_instance_identifier
    )

    # We expect only one result
    db_instance = db_instances["DBInstances"][0]

    # Get a list of the VPC Security Groups
    db_security_group_ids = [
        item["VpcSecurityGroupId"] for item in db_instance["VpcSecurityGroups"]
    ]

    ec2_client = boto3.client("ec2")

    security_groups = ec2_client.describe_security_groups(
        GroupIds=db_security_group_ids
    )

    for security_group in security_groups["SecurityGroups"]:
        for ingress_rule in security_group["IpPermissions"]:
            print(ingress_rule)

if __name__ == "__main__":
    main()

Output Output

{'FromPort': 22, 'IpProtocol': 'tcp', 'IpRanges': [{'CidrIp': '0.0.0.0/0', 'Description': 'SSH'}], 'Ipv6Ranges': [{'CidrIpv6': '::/0', 'Description': 'SSH'}], 'PrefixListIds': [], 'ToPort': 22, 'UserIdGroupPairs': []}
{'IpProtocol': '-1', 'IpRanges': [], 'Ipv6Ranges': [], 'PrefixListIds': [], 'UserIdGroupPairs': [{'GroupId': 'sg-04dfdddc2792af7e2', 'UserId': '12312313123'}]}
{'FromPort': 80, 'IpProtocol': 'tcp', 'IpRanges': [{'CidrIp': '0.0.0.0/0'}], 'Ipv6Ranges': [{'CidrIpv6': '::/0'}], 'PrefixListIds': [], 'ToPort': 80, 'UserIdGroupPairs': []}
{'FromPort': 5432, 'IpProtocol': 'tcp', 'IpRanges': [{'CidrIp': '0.0.0.0/0'}], 'Ipv6Ranges': [{'CidrIpv6': '::/0'}], 'PrefixListIds': [], 'ToPort': 5432, 'UserIdGroupPairs': []}

Instead of printing the rules, you can do any processing with them that you like.您可以对它们进行任何您喜欢的处理,而不是打印规则。 Of course translating security group ids to IP-Ranges is a whole different problem, but given your question I assume your security groups only contain IP ranges.当然,将安全组 ID 转换为 IP 范围是一个完全不同的问题,但鉴于您的问题,我假设您的安全组仅包含 IP 范围。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用私有 ip 从 EC2 访问 RDS 实例 - How to access RDS instance from EC2 using private ip RDS-指定可以访问RDS实例的IP地址 - RDS - Specify IP Addresses that can access RDS instance 如何在VPC中为RDS实例分配IP地址? - How to allocate IP address in VPC to RDS instance? 如何在AWS中获取RDS实例的IP地址 - How to get the IP address of RDS instance in AWS RDS 实例 Static IP - Static IP for RDS instance 如何从另一个私有子网的ec2实例访问私有子网中的RDS实例? - How to access RDS instance which in private subnet from ec2 instance from another private subnet? 如何查看已删除的RDS实例上的事件? - How to see events on RDS instance which is deleted? 亚马逊是否发布RDS IP范围? - Does Amazon publish RDS IP Ranges? 如何限制对RDS实例的访问,即使分配了RDS公共地址 - How to limited access to RDS instance even RDS public address is assigned 如何动态获取terraform中创建的rds实例的server IP - how to dynamically get the server IP of rds instance created in terraform
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM