[英]Revoke all AWS security group ingress rules
是否可以撤销 AWS 安全组中的所有入口规则? 是否可以撤销所有 SSH 入口规则? 我正在尝试使用下面的 cli 命令,但它不起作用:
aws ec2 revoke-security-group-ingress --group-id GroupID --protocol tcp --port 22
根据@kuboon 的建议,这里是该脚本的一个更简单的工作版本,在 zsh 中进行了测试。 主要区别是:
--output json
选项强制第一个命令返回 json(这并不总是默认值)revoke-security-group-ingress
参数--ip-permissions
,而不是作为--cli-input-json
需要的 json(它不是)中的完全格式化命令。groupId="your group-id"
aws ec2 revoke-security-group-ingress --group-id $groupId \
--ip-permissions \
"`aws ec2 describe-security-groups --output json --group-ids $groupId --query "SecurityGroups[0].IpPermissions"`"
我最终编写了一个 Powershell 脚本,该脚本使用 AWS CLI 来执行此操作。
该脚本遍历所有区域,查找默认安全组,并删除其中的所有规则。
这里是:
# get all regions
write-host "Getting all regions.."
$regions = ([string](aws ec2 describe-regions --region eu-west-2) | ConvertFrom-Json).Regions.RegionName
write-host "Got them:"
$regions
write-host "-------------------"
write-host ""
# for all regions
foreach ($region in $regions)
{
write-host "Getting default security groups for $region.."
# get all subnets
$groupIds = ([string](aws ec2 describe-security-groups --filters Name=group-name,Values=default --region $region) | ConvertFrom-Json).SecurityGroups.GroupId
foreach ($groupId in $groupIds)
{
write-host "Got it: $groupId"
write-host "Getting all rules.."
$rules = [string](aws ec2 describe-security-groups --group-id $groupId --query "SecurityGroups[0].IpPermissions" --region $region) | ConvertFrom-Json
foreach ($rule in $rules)
{
$protocol = $rule.IpProtocol
$cidr = $rule.IpRanges.CidrIp
$fromPort = $rule.FromPort
$toPort = $rule.ToPort
$cidrIpv6 = $rule.Ipv6Ranges.CidrIpv6
$sourceGroup = $rule.UserIdGroupPairs.GroupId
$sourceGroupUserId = $rule.UserIdGroupPairs.UserId
if ($protocol -eq "icmpv6") {
$protocol = "icmp"
}
if (($protocol -eq "tcp") -Or ($protocol -eq "udp") -Or ($protocol -eq "icmp"))
{
if ($cidr){
if ($fromPort -eq -1){
write-host "Removing rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort" --cidr $cidr --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort" --cidr $cidr --region $region
write-host "Done!"
query
}
else {
write-host "Removing rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort-$toPort" --cidr $cidr --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort-$toPort" --cidr $cidr --region $region
write-host "Done!"
}
}
if ($cidrIpv6){
$json = ('{"IpProtocol": "'+$protocol+'", "FromPort": '+$fromPort+', "ToPort": '+$toPort+', "Ipv6Ranges": [{"CidrIpv6": "'+$cidrIpv6+'"}]}') | ConvertTo-Json
write-host "Removing Ipv6 version of rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region
write-host "Done!"
}
if ($sourceGroup -and $sourceGroupUserId)
{
write-host "Removing SourceGroup rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort-$toPort" --cidr $cidr --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort-$toPort" --source-group $sourceGroup --group-owner $sourceGroupUserId --region $region
write-host "Done!"
}
}
else
{
if ($cidr){
write-host "Removing rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --cidr $cidr --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --cidr $cidr --region $region
write-host "Done!"
}
if ($cidrIpv6){
$json = '{"IpProtocol": "-1", "Ipv6Ranges": [{"CidrIpv6": "'+$cidrIpv6+'"}]}' | ConvertTo-Json
write-host "Removing Ipv6 version of rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region
write-host "Done!"
}
if ($sourceGroup)
{
$json = '{ "IpProtocol": "-1", "UserIdGroupPairs":[{"GroupId":"'+$sourceGroup+'","UserId":"'+$sourceGroupUserId+'"}] }' | ConvertTo-Json
write-host "Removing SourceGroup rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region
write-host "Done!"
}
}
}
}
write-host "-------------------"
write-host ""
}
注意此脚本无法删除某些规则(自定义协议、自定义 ICMP 规则 - IPv6),但它适用于大多数规则。
我在以下规则集上测试了脚本:
这是运行脚本后剩下的:
希望这可以帮助那里的人!
看起来您必须单独指定每个源,例如 --cidr 0.0.0.0/0 或 --source-group sg-12345678。
获取规则列表并撤销所有规则。
groupId="your group-id"
json=`aws ec2 describe-security-groups --group-id $groupId --query "SecurityGroups[0].IpPermissions"`
aws ec2 revoke-security-group-ingress --cli-input-json "{\"GroupId\": \"$groupId\", \"IpPermissions\": $json}"
只是对 Demonicdaron 脚本的一个小改进,可以将 1 个以上的 cidr 返回到相同的规则,在这种情况下,您只需在 $cidr 上执行 foreach() 来循环每个人。
但它就像一个魅力
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.