3
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

ozvisionAdvent Calendar 2019

Day 6

【調べ方】AWS セキュリティグループに定義している IP (CIDR) をサクッと洗い出す

Posted at

経緯

会社の IP が変わるような場合、どのセキュリティグループに該当する IP が適用されているのか調べる必要がでてきます。
aws-clijq コマンド を使って簡単に洗い出す方法を備忘録としてメモしておきます

前提

  • aws-cli をセットアップ済み
  • jq コマンドをセットアップ済み

実行コマンド

事前に確認したいIPを定義 (CIDR)

CIDR=8.8.8.8/32

インバウンドのセキュリティグループ名確認

for region in us-east-2 us-east-1 us-west-1 us-west-2 ap-south-1 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1
do
  echo region... $region;
  aws --region $region ec2 describe-security-groups \
  |jq -r \
    '.SecurityGroups[] | select((.IpPermissions[].IpRanges[].CidrIp == "'$CIDR'")
    or (.IpPermissions[].IpRanges[].CidrIp == "'$CIDR'")) |  .GroupName' \
  |sort \
  |uniq
done

アウトバウンドのセキュリティグループ名確認

for region in us-east-2 us-east-1 us-west-1 us-west-2 ap-south-1 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1
do
  echo region... $region;
  aws --region $region ec2 describe-security-groups \
  |jq -r \
    '.SecurityGroups[] | select((.IpPermissionsEgress[].IpRanges[].CidrIp == "'$CIDR'")
    or (.IpPermissionsEgress[].IpRanges[].CidrIp == "'$CIDR'")) |  .GroupName' \
  |sort \
  |uniq
done

結果サンプル

hogehoge-sgfugafuga-sg のセキュリティグループのインバウンドで 8.8.8.8/32 が定義されていることがわかりました。

mac48:~ s-urabe$ CIDR=8.8.8.8/32
mac48:~ s-urabe$ for region in us-east-2 us-east-1 us-west-1 us-west-2 ap-south-1 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1
> do
>   echo region... $region;
>   aws --region $region ec2 describe-security-groups \
>   |jq -r \
>     '.SecurityGroups[] | select((.IpPermissions[].IpRanges[].CidrIp == "'$CIDR'")
>     or (.IpPermissions[].IpRanges[].CidrIp == "'$CIDR'")) |  .GroupName' \
>   |sort \
>   |uniq
> done
region... us-east-2
region... us-east-1
region... us-west-1
region... us-west-2
region... ap-south-1
region... ap-northeast-2
region... ap-southeast-1
region... ap-southeast-2
region... ap-northeast-1
hogehoge-sg
fugafuga-sg
region... ca-central-1
region... eu-central-1
region... eu-west-1
region... eu-west-2
region... eu-west-3
region... eu-north-1
region... sa-east-1
mac48:~ s-urabe$ 
3
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
3
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?