'Updating Existing IPs from a Security Group in AWS using aws cli
I have a shell script which adds my public ip to the specified ec2-security-group. I've gone through some AWS docs and can't find which Apis to use to update existing IP address instead of simply adding one.
I've gone through the following:
Is there an api which can be used to simply update the existing IP address in the security group?
I'm using the following bash script to add new entries to the security group.
#!/bin/bash
curl https://checkip.amazonaws.com > ip.txt
awk '{ print $0 "/32" }' < ip.txt > ipnew.txt
export stuff=$(cat ipnew.txt)
aws ec2 authorize-security-group-ingress --group-name XXXXX --protocol tcp --port 22 --cidr $stuff --profile xxxxx
amazon-web-servicesSolution 1:[1]
This script will find any security groups tagged with the key ssh-from-my-ip and a case insensitive value of true or yes. It will then revoke the old ingress access from port 22 (if any) and authorize your new IP CIDR. It requires aws cli and jq.
#! /bin/bash
# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq
# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"
# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')
for p in $pairs
do
SG=$(echo "$p" | jq -r '.sg')
OLD_CIDR=$(echo "$p" | jq -r '.cidr')
echo "Updating security group ${SG}"
if [[ $OLD_CIDR != 'null' ]]
then
echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
# remove the existing ingress permission
aws ec2 revoke-security-group-ingress \
--group-id "${SG}" \
--protocol tcp \
--port 22 \
--cidr "${OLD_CIDR}"
fi
# authorize my new IP CIDR
NEW_CIDR="${MY_IP}"/32
echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done
Solution 2:[2]
There is no command to 'update' a rule. You will need to add and remove rules.
Here's a similar script I use:
IP=`curl -s http://whatismyip.akamai.com/`
aws ec2 authorize-security-group-ingress --group-name XXX --protocol tcp --port 22 --cidr $IP/32 --output text
However, this eventually adds too many rules, so I then need to delete the existing rules. You could automate that deletion before adding a rule.
Solution 3:[3]
export my_ip=$(curl https://checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr $my_ip/32
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Mark |
| Solution 2 | John Rotenstein |
| Solution 3 | bwolmarans |