Reputation: 926
Updating Existing IPs from a Security Group in AWS using aws cli
I have a shell script which adds my public ip to the specified ec2-security-group. I've gone through some AWS docs and can't find which Apis to use to update existing IP address instead of simply adding one.
I've gone through the following:
Is there an api which can be used to simply update the existing IP address in the security group?
I'm using the following bash script to add new entries to the security group.
#!/bin/bash
curl https://checkip.amazonaws.com > ip.txt
awk '{ print $0 "/32" }' < ip.txt > ipnew.txt
export stuff=$(cat ipnew.txt)
aws ec2 authorize-security-group-ingress --group-name XXXXX --protocol tcp --port 22 --cidr $stuff --profile xxxxx
Upvotes: 10
Views: 7750
Answers (5)
Reputation: 269111
Here's a similar script I use:
IP=`curl -s http://whatismyip.akamai.com/`
aws ec2 authorize-security-group-ingress --group-name XXX --protocol tcp --port 22 --cidr $IP/32 --output text
However, this eventually adds too many rules, so I then need to delete the existing rules. You could automate that deletion before adding a rule.
UPDATE: @DavideRadice points out that there is now the AWS CLI aws ec2 modify-security-group-rules command.
Upvotes: 2
Reputation: 305
The command you're looking for is modify-security-group-rules: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html
Here is a script that uses it.
# Update a security group rule allowing your
# current IPv4 I.P. to connect on port 22 (SSH)
# variables to identify sec group and sec group rule
SEC_GROUP_ID='sg-xxXXxx'
SEC_GROUP_RULE_ID='sgr-xxXXxxXXxxXX'
# gets current date and prepares description for sec group rule
CURRENT_DATE=$(date +'%Y-%m-%d')
SEC_GROUP_RULE_DESCRIPTION="dynamic ip updated - ${CURRENT_DATE}"
# gets current I.P. and adds /32 for ipv4 cidr
CURRENT_IP=$(curl --silent https://checkip.amazonaws.com)
NEW_IPV4_CIDR="${CURRENT_IP}"/32
# updates I.P. and description in the sec group rule
aws ec2 modify-security-group-rules --group-id ${SEC_GROUP_ID} --security-group-rules SecurityGroupRuleId=${SEC_GROUP_RULE_ID},SecurityGroupRule="{CidrIpv4=${NEW_IPV4_CIDR}, IpProtocol=tcp,FromPort=22,ToPort=22,Description=${SEC_GROUP_RULE_DESCRIPTION}}"
# shows the sec group rule updated
aws ec2 describe-security-group-rules --filter Name="security-group-rule-id",Values="${SEC_GROUP_RULE_ID}"
Upvotes: 9
Reputation: 31
export my_ip=$(curl https://checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr $my_ip/32
Upvotes: 0
Reputation: 2428
This script will find any security groups tagged with the key ssh-from-my-ip and a case insensitive value of true or yes. It will then revoke the old ingress access from port 22 (if any) and authorize your new IP CIDR. It requires aws cli and jq.
#! /bin/bash
# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq
# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"
# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')
for p in $pairs
do
SG=$(echo "$p" | jq -r '.sg')
OLD_CIDR=$(echo "$p" | jq -r '.cidr')
echo "Updating security group ${SG}"
if [[ $OLD_CIDR != 'null' ]]
then
echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
# remove the existing ingress permission
aws ec2 revoke-security-group-ingress \
--group-id "${SG}" \
--protocol tcp \
--port 22 \
--cidr "${OLD_CIDR}"
fi
# authorize my new IP CIDR
NEW_CIDR="${MY_IP}"/32
echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done
Upvotes: 9
Reputation: 926
I've been able to hack my way to make this work. As John Suggested, I've created another security group, added the ports which requires access and update it via the shell script. The updation works as removing all the rules mentioned in the security group and adding them again with the IP required
The source code has been published on Github
Upvotes: 0
Related Questions
- AWS reuse IP's in several security groups
- How could I add current pc IP into security group with aws cli
- AWS CLI - Create script to add my IP to security group
- Add a list of IP as Source IP in Security Group
- aws cli - exchange existing security group for a different one
- Updating long list of IP descriptions with AWS CLI
- Find out & update a particular IP in multiple SGs on AWS
- AWS - Changing Security Group Rules
- Automatically add a range of IP in security group in AWS
- set dynamic ip in security group, in AWS hosting?