Working with multiple clients with their own AWS setups and security groups makes it difficult to work remotely sometimes. For instance, updating the many security groups with my current (dynamic) IP address so I can SSH into the server. To solve this problem, I created a shell script to manage the situation.
Using the aws ec2 command line tool, you can issue a set of commands to query, delete and add IP rules to the firewall. The script below allows you to:
- Select a AWS profile to use (setup using the
awstool) - Specify one or more security groups to edit (under the same profile)
- Any fixed IP addresses that should remain constant
- The tcp port for the IP rules
The Script
Running the Script
Give the appropriate execute permissions to the script, e.g. chmod 755 aws-security.sh, then call the script using ./aws-security.sh
Caveats
Please note the following before running the script:
- All existing rules matching the protocol (tcp) and
portwill be deleted by running this script. Please make sure any required IP addresses are added tofixed_ips. - The script will add your current IP address by default. If this already exists in
fixed_ips, a error will be thrown by the aws tool.
AWS Security Policy
It’s a good idea to set up a AIM policy to manage access to your AWS account. With that in mind, you can create a new AIM user with the below access policy to restrict access to modifying the security group rules. This policy can be modified to restrict modifications to a specific security group by updating the “Resource”.
It is possible to add description to new rule?
and make search by description, instead of (# Port, port=22;)
Thank You
The CLI tool does allow a description to be specified when adding the rule, using the more complex
--ip-permissionsflag. This also means you need to specify more details in the rule. You can see how this can be done in the documentation: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html