LoginSignup
0
0

More than 1 year has passed since last update.

@ekzemplaro(内田 雅智)

AWS CLI で EC2 の Security Group の設定をする

Last updated at Posted at 2022-09-16

次のページを参考にしました。
http://se-blog.mydns.jp/contents/aws/cli-sg/cli-sg.html
https://qiita.com/S-T/items/3d4197bbed1022ccac43

次のバージョンで確認しました。

$ aws --version
aws-cli/2.7.27 Python/3.9.11 Linux/5.19.8-arch1-1 exe/x86_64.arch prompt/off

Security Group の一覧取得

go_list.sh
aws ec2 describe-security-groups --output=table --query 'sort_by(SecurityGroups[].{A_GroupName: GroupName, B_Name: Tags[?Key==`Name`].Value|[0], C_GroupID: GroupId}, &A_GroupName)'

実行結果

$ ./go_list.sh
-------------------------------------------------------
|               DescribeSecurityGroups                |
+------------------+---------+------------------------+
|    A_GroupName   | B_Name  |       C_GroupID        |
+------------------+---------+------------------------+
|  default         |  None   |  sg-0f2d7454484abcd12  |
|  launch-wizard-1 |  None   |  sg-0c8b45bf132abcd12  |
+------------------+---------+------------------------+

インバウンドルールの取得

go_inbound.sh
GROUP_ID="sg-0c8b45bf132abcd12"
#
aws ec2 describe-security-groups --group-ids $GROUP_ID --output=table \
 --query 'sort_by(SecurityGroups[].IpPermissions[].{A_Protocol: IpProtocol, B_SourcePort: FromPort, C_SourceIP: join(`, `, IpRanges[].CidrIp), D_SourceId: join(`, `, UserIdGroupPairs[].GroupId), E_SourcePrefix: join(`, `, PrefixListIds[].PrefixListId)}, &A_Protocol)'

実行結果

$ ./go_inbound.sh 
--------------------------------------------------------------------------------------
|                               DescribeSecurityGroups                               |
+------------+---------------+----------------------+-------------+------------------+
| A_Protocol | B_SourcePort  |     C_SourceIP       | D_SourceId  | E_SourcePrefix   |
+------------+---------------+----------------------+-------------+------------------+
|  tcp       |  80           |  0.0.0.0/0           |             |                  |
|  tcp       |  22           |  219.116.120.21/32  |             |                  |
|  tcp       |  3389         |  219.116.120.21/32   |             |                  |
|  tcp       |  443          |  0.0.0.0/0           |             |                  |
+------------+---------------+----------------------+-------------+------------------+

MyIP の取得

http https://checkip.amazonaws.com/

ルールの削除

go_del.sh
GROUP_ID="sg-0c8b45bf132abcd12"
PORT=5000
IP_SOURCE="219.116.120.21/32"
#
aws ec2 revoke-security-group-ingress --group-id ${GROUP_ID} \
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT}', "ToPort": '${PORT}', "IpRanges": [{"CidrIp": "'${IP_SOURCE}'"}]}]'
#

複数のポートを処理

go_del_multi.sh
GROUP_ID="sg-0c8b45bf132abcd12"
IP_SOURCE="219.116.120.21/32"
#
for PORT in 22 80 443
do
aws ec2 revoke-security-group-ingress --group-id ${GROUP_ID} \
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT}', "ToPort": '${PORT}', "IpRanges": [{"CidrIp": "'${IP_SOURCE}'"}]}]'
done
#

ルールの追加

go_append.sh
GROUP_ID="sg-0c8b45bf132abcd12"
PORT=5000
IP_SOURCE="219.116.120.21/32"
#
aws ec2 authorize-security-group-ingress --group-id ${GROUP_ID} \
	--protocol tcp --port ${PORT} --cidr ${IP_SOURCE}
#

複数のポートを処理

go_append_multi.sh
GROUP_ID="sg-0c8b45bf132abcd12"
IP_SOURCE="219.116.120.21/32"
#
for PORT in 22 80 443
do
aws ec2 authorize-security-group-ingress --group-id ${GROUP_ID} \
	--protocol tcp --port ${PORT} --cidr ${IP_SOURCE}
done
#
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0