stackoom
  简体   繁体   中英

How do I use the AWS Powershell Tools to get ID's of security groups allowed in ingress rules?

 原文  2019-05-16 15:41:30       amazon-web-services/ aws-security-group/ aws-powershell

Question

In the AWS Web Console, viewing a security group's inbound rules can display another Security Group ID in the source column instead of an ip address. I need to view Security Group ingress rules through powershell that reference other security groups as the source.

Get-EC2SecurityGroup does not appear to include information about other incoming security groups.

To fetch information about a single EC2 security group in AWS the following Powershell command can be used: 

Get-EC2SecurityGroup -GroupId sg-121kRandStringf912j

The results look like this: 

Description         : My Security Group Description
GroupId             : sg-121kRandStringf912j
GroupName           : SSHIn
IpPermissions       : {Amazon.EC2.Model.IpPermission}
IpPermissionsEgress : {Amazon.EC2.Model.IpPermission}
OwnerId             : 123456789012
Tags                : {Name, aws:cloudformation:stack-name, aws:cloudformation:logical-id, aws:cloudformation:stack-id}
VpcId               : vpc-01q23RandString09ab817

A closer inspection of the IPPermissions property for a rule that uses IP addresses looks similar to this: 

FromPort         : 22
IpProtocol       : tcp
IpRanges         : {192.168.1.0/32, 192.168.2.0/32}
Ipv6Ranges       : {}
PrefixListIds    : {}
ToPort           : 22
UserIdGroupPairs : {}

Notice in the output above, IP Ranges are listed.

I would expect to find similar output when the ingress rule allows an entire security group in. I would expect to find information similar to this: 

FromPort         : 22
IpProtocol       : tcp
IpRanges         : {sg-1q9b2RandomString93q47}
Ipv6Ranges       : {}
PrefixListIds    : {}
ToPort           : 22
UserIdGroupPairs : {}

Instead, all the other properties in the main SecurityGroup object are similar, but when inspecting the IPPermissions property, the rule for that port is present while the IpRanges property is empty and there aren't any additional properties that contain security group IDs. 

FromPort         : 22
IpProtocol       : tcp
IpRanges         : {}
Ipv6Ranges       : {}
PrefixListIds    : {}
ToPort           : 22
UserIdGroupPairs : {}

How can I use Powershell to find rules that allow other security groups inbound?

1 answers

solution1
 0 ACCPTED  2019-05-16 17:26:25

You should see the list of configured security groups in UserIdGroupPairs , each with Description , GroupId , and UserId . That's what the awscli returns. I would check that you are supplying the correct security group ID in your request.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I get my own AMIs with AWS Tools for Powershell? How do I automate the substitution of assigned inbound rules with public IP addresses within and across security groups in AWS? Revoke all AWS security group ingress rules How do we update aws security groups rules using Boto3 How do I define a recurring IP range for AWS security groups? How do I change the aws security groups using BOTO3 What are ingress security_groups in Terraform for AWS Terraform: create resource(aws_security_group) successfully but it takes ingress/egress rules from all given security groups Revoke all security group ingress rules (with source security groups) How do you configure security groups inside of security groups in AWS?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM