AWS 从私有 IP 获取安全组 ID
AWS get security group ids from private IP
如何根据私有 IP 地址获取与 ec2-instance 关联的安全组 ID
所以,想自动化修改安全组入口的过程。
例如:从 10.0.0.11 打开 10.0.0.10 上的端口 22
I want to get the sg-xxxxxx associate to 10.0.0.10 and add ingress
FromPort:22 ToPort:22 Cidr:10.0.0.11/32
您可以从此命令获取安全组(将 X.X.X.X 替换为私有 IP 地址):
aws ec2 describe-instances --filters "Name=private-ip-address,Values=X.X.X.X" \
--query "Reservations[*].Instances[*].SecurityGroups[*]" --output text
之后,应该是简单调用aws ec2 authorize-security-group-ingress打开端口。
这可以很容易地包含在 Bash 脚本中,如果一个实例是多个安全组的成员,您只需要某种方法来确定要修改哪个安全组。
#!/usr/bin/python
import subprocess
from sys import argv
import sys, getopt
ipaddress=" "
protocol = " "
FromPort = " "
ToPort = " "
CidrIP = " "
opts, args = getopt.getopt(argv[1:],"hi:h:p:f:t:c:",["help","ip=","protocol=","FromPort=","ToPort=","CidrIp="])
for opt, arg in opts:
if opt in ("-h", "--help"):
print "Usage: -i x.x.x.x -p icmp -f 22 -t 22 -c x.x.x.x/x"
sys.exit()
elif opt in ("-i", "--ipaddress"):
ipaddress = arg
elif opt in ("-p", "--protocol"):
protocol = arg
elif opt in ("-f", "--fromport"):
FromPort = arg
elif opt in ("-t", "--toport"):
ToPort = arg
elif opt in ("-c", "--cidrip"):
CidrIP = arg
else:
print 'Invalid argument'
subprocess.call("aws ec2 describe-instances --filters \"Name=private-ip-address,Values="+ipaddress+"\" --query \"Reservations[*].Instances[*].SecurityGroups[*]\" --output text > /tmp/sg.txt", shell=True)
sg_id = []
with open('/tmp/sg.txt', 'r') as f:
for line in f:
sg_id.append(line.split(None, 1)[0])
subprocess.call("aws ec2 authorize-security-group-ingress --group-id"+ " "+sg_id[0] + " "+"--ip-permissions '[{\"IpProtocol\":"+ " "+"\""+protocol+"\""+"," " "+ "\"FromPort\":"+ " "+FromPort+"," " "+ "\"ToPort\":"+ " "+ToPort+"," " "+ "\"IpRanges\":"+ " "+"[{\"CidrIP\":"+ " "+"\""+CidrIP+"\""+"}]}]'", shell=True)
print("successful")
如何根据私有 IP 地址获取与 ec2-instance 关联的安全组 ID 所以,想自动化修改安全组入口的过程。
例如:从 10.0.0.11 打开 10.0.0.10 上的端口 22
I want to get the sg-xxxxxx associate to 10.0.0.10 and add ingress FromPort:22 ToPort:22 Cidr:10.0.0.11/32
您可以从此命令获取安全组(将 X.X.X.X 替换为私有 IP 地址):
aws ec2 describe-instances --filters "Name=private-ip-address,Values=X.X.X.X" \
--query "Reservations[*].Instances[*].SecurityGroups[*]" --output text
之后,应该是简单调用aws ec2 authorize-security-group-ingress打开端口。
这可以很容易地包含在 Bash 脚本中,如果一个实例是多个安全组的成员,您只需要某种方法来确定要修改哪个安全组。
#!/usr/bin/python
import subprocess
from sys import argv
import sys, getopt
ipaddress=" "
protocol = " "
FromPort = " "
ToPort = " "
CidrIP = " "
opts, args = getopt.getopt(argv[1:],"hi:h:p:f:t:c:",["help","ip=","protocol=","FromPort=","ToPort=","CidrIp="])
for opt, arg in opts:
if opt in ("-h", "--help"):
print "Usage: -i x.x.x.x -p icmp -f 22 -t 22 -c x.x.x.x/x"
sys.exit()
elif opt in ("-i", "--ipaddress"):
ipaddress = arg
elif opt in ("-p", "--protocol"):
protocol = arg
elif opt in ("-f", "--fromport"):
FromPort = arg
elif opt in ("-t", "--toport"):
ToPort = arg
elif opt in ("-c", "--cidrip"):
CidrIP = arg
else:
print 'Invalid argument'
subprocess.call("aws ec2 describe-instances --filters \"Name=private-ip-address,Values="+ipaddress+"\" --query \"Reservations[*].Instances[*].SecurityGroups[*]\" --output text > /tmp/sg.txt", shell=True)
sg_id = []
with open('/tmp/sg.txt', 'r') as f:
for line in f:
sg_id.append(line.split(None, 1)[0])
subprocess.call("aws ec2 authorize-security-group-ingress --group-id"+ " "+sg_id[0] + " "+"--ip-permissions '[{\"IpProtocol\":"+ " "+"\""+protocol+"\""+"," " "+ "\"FromPort\":"+ " "+FromPort+"," " "+ "\"ToPort\":"+ " "+ToPort+"," " "+ "\"IpRanges\":"+ " "+"[{\"CidrIP\":"+ " "+"\""+CidrIP+"\""+"}]}]'", shell=True)
print("successful")