【調べ方】AWS セキュリティグループに定義している IP (CIDR) をサクッと洗い出す

経緯

会社の IP が変わるような場合、どのセキュリティグループに該当する IP が適用されているのか調べる必要がでてきます。
aws-cli と jq コマンド を使って簡単に洗い出す方法を備忘録としてメモしておきます

前提

• aws-cli をセットアップ済み
• jq コマンドをセットアップ済み

実行コマンド

事前に確認したいIPを定義 (CIDR)

CIDR=8.8.8.8/32

インバウンドのセキュリティグループ名確認

for region in us-east-2 us-east-1 us-west-1 us-west-2 ap-south-1 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1
do
  echo region... $region;
  aws --region $region ec2 describe-security-groups \
  |jq -r \
    '.SecurityGroups[] | select((.IpPermissions[].IpRanges[].CidrIp == "'$CIDR'")
    or (.IpPermissions[].IpRanges[].CidrIp == "'$CIDR'")) |  .GroupName' \
  |sort \
  |uniq
done

アウトバウンドのセキュリティグループ名確認

for region in us-east-2 us-east-1 us-west-1 us-west-2 ap-south-1 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1
do
  echo region... $region;
  aws --region $region ec2 describe-security-groups \
  |jq -r \
    '.SecurityGroups[] | select((.IpPermissionsEgress[].IpRanges[].CidrIp == "'$CIDR'")
    or (.IpPermissionsEgress[].IpRanges[].CidrIp == "'$CIDR'")) |  .GroupName' \
  |sort \
  |uniq
done

結果サンプル

hogehoge-sg と fugafuga-sg のセキュリティグループのインバウンドで 8.8.8.8/32 が定義されていることがわかりました。

mac48:~ s-urabe$ CIDR=8.8.8.8/32
mac48:~ s-urabe$ for region in us-east-2 us-east-1 us-west-1 us-west-2 ap-south-1 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1
> do
>   echo region... $region;
>   aws --region $region ec2 describe-security-groups \
>   |jq -r \
>     '.SecurityGroups[] | select((.IpPermissions[].IpRanges[].CidrIp == "'$CIDR'")
>     or (.IpPermissions[].IpRanges[].CidrIp == "'$CIDR'")) |  .GroupName' \
>   |sort \
>   |uniq
> done
region... us-east-2
region... us-east-1
region... us-west-1
region... us-west-2
region... ap-south-1
region... ap-northeast-2
region... ap-southeast-1
region... ap-southeast-2
region... ap-northeast-1
hogehoge-sg
fugafuga-sg
region... ca-central-1
region... eu-central-1
region... eu-west-1
region... eu-west-2
region... eu-west-3
region... eu-north-1
region... sa-east-1
mac48:~ s-urabe$