AWS从私有IP获取安全组ID

Question

如何基于私有IP地址获取与ec2-instance相关的安全组ID，因此，希望自动化修改安全组入口的过程。

例如：从10.0.0.11打开10.0.0.10上的端口22

我想将sg-xxxxxx关联到10.0.0.10并添加入口FromPort：22 ToPort：22 Cidr：10.0.0.11/32

Answer 1

您可以从此命令获取安全组（用专用IP地址替换XXXX ）：

aws ec2 describe-instances --filters "Name=private-ip-address,Values=X.X.X.X" \
    --query "Reservations[*].Instances[*].SecurityGroups[*]" --output text

之后，应该简单地调用aws ec2 authorize-security-group-ingress打开端口。

这可以很容易地包装在Bash脚本中，如果实例是多个实例的成员，则只需确定确定要修改哪个安全组的方法。

Answer 2

#!/usr/bin/python

import subprocess
from sys import argv
import sys, getopt

ipaddress=" "
protocol = " "
FromPort = " "
ToPort = " "
CidrIP = " "

opts, args = getopt.getopt(argv[1:],"hi:h:p:f:t:c:",["help","ip=","protocol=","FromPort=","ToPort=","CidrIp="])
for opt, arg in opts:
   if opt in ("-h", "--help"):
      print "Usage: -i x.x.x.x -p icmp -f 22 -t 22 -c x.x.x.x/x"
      sys.exit()
   elif opt in ("-i", "--ipaddress"):
      ipaddress = arg
   elif opt in ("-p", "--protocol"):
      protocol = arg
   elif opt in ("-f", "--fromport"):
      FromPort = arg
   elif opt in ("-t", "--toport"):
      ToPort = arg
   elif opt in ("-c", "--cidrip"):
       CidrIP = arg
   else:
       print 'Invalid argument'

subprocess.call("aws ec2 describe-instances --filters \"Name=private-ip-address,Values="+ipaddress+"\" --query \"Reservations[*].Instances[*].SecurityGroups[*]\" --output text > /tmp/sg.txt", shell=True)
sg_id = []
with open('/tmp/sg.txt', 'r') as f:
    for line in f:
        sg_id.append(line.split(None, 1)[0])

subprocess.call("aws ec2 authorize-security-group-ingress --group-id"+ " "+sg_id[0] + " "+"--ip-permissions '[{\"IpProtocol\":"+ " "+"\""+protocol+"\""+"," " "+ "\"FromPort\":"+ " "+FromPort+"," " "+ "\"ToPort\":"+ " "+ToPort+"," " "+ "\"IpRanges\":"+ " "+"[{\"CidrIP\":"+ " "+"\""+CidrIP+"\""+"}]}]'", shell=True)

print("successful")