如何临时打开和关闭 AWS 安全组上某个 IP 的端口?

【问题标题】:How to temporarily open and close a port to a certain IP on an AWS security group?如何临时打开和关闭 AWS 安全组上某个 IP 的端口?
【发布时间】:2023-03-27 10:40:01
【问题描述】:

我想在备份过程开始之前使用aws cli 工具临时打开某个IP地址的端口,并在完成后关闭它。

我知道如何通过控制台执行此操作,但我找不到如何以编程方式执行此操作。

有谁知道我可以运行什么命令来做到这一点?

我正在考虑编写一个 shell 脚本来执行此操作并在备份之前启动它,所以我找到了一个完全相同的 Circle CI Orb。但是,当我尝试使用 shell 脚本启动它时,会出现错误。我不太擅长 shell 命令,所以也许有人可以告诉我我可以在下面修复什么?

AWS 的权限设置正确,所以我想我只需要在下面的脚本中进行一些调整。

# Get the current IP of the AWS instance the script is launched from

LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)

IP="${IP-$LATEST_IP}"

if [[ "${IP}" == "" ]]; then
    echo "Could not find your public IP"
    exit 1
fi

# Get the security group ID

GROUPID=$(aws ec2 describe-security-groups --query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' --output table | grep << parameters.tag-value >> | awk '{print $4}') [[ -n "${GROUPID}" ]] || (echo "Could not determine Security Group ID" && exit 0);
                                            
# Adding Rule SSH to Your Security Group

echo Allowing << parameters.description >> to access port $PORT from IP
$IP to the security group $GROUPID

aws ec2 authorize-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp": "'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]' 

# Closing the port
echo "Removing << parameters.description >> access from IP $IP to the security group $GROUPID"


# Delete IP rules matching port

aws ec2 revoke-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp":"'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]'

【问题讨论】:

  • “我得到错误” - 你能澄清一下究竟是什么错误吗?
  • 它抛出一个错误,说|无法识别,所以我认为这是关于语法
  • 什么是parameters
  • 老实说,我不知道。也许这就是问题所在。我想我需要在某处提供安全组的名称以及需要打开和关闭的端口,对吧?

标签: amazon-web-services aws-cli aws-security-group


【解决方案1】:

修改了脚本,使其工作。但我认为它目前的形式并没有多大用处。它只是将规则添加到 SG,然后立即将其删除。

我将 GROUPID=$(aws ec2 des ... 替换为仅要使用的 SG ID 值。

#!/bin/bash 
# Get the current IP of the AWS instance the script is launched from

set -ex

LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)

IP="${IP-$LATEST_IP}"

if [[ "${IP}" == "" ]]; then
    echo "Could not find your public IP"
    exit 1
fi

echo ${IP}

# Get the security group ID

GROUPID="sg-0483809ca6b8e91d0" # change to your own SG
PORT_FROM=80
PORT_TO=80
MASK_IP="32"
DESCRIPTION="Some-description"
AWS_PROFILE="default" # AWS credentials profile to use

# Adding Rule SSH to Your Security Group

echo Allowing ${GROUPID} to access port $PORT from IP ${IP} to the security group $GROUPID

aws ec2 authorize-security-group-ingress \
    --group-id $GROUPID \
    --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp": "'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \
    --profile ${AWS_PROFILE} 

# Closing the port
echo "Removing ${DESCRIPTION} access from IP $IP to the security group $GROUPID"


# Delete IP rules matching port

aws ec2 revoke-security-group-ingress \
    --group-id $GROUPID \
    --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp":"'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \
    --profile ${AWS_PROFILE}

示例输出:

++ wget -qO- http://checkip.amazonaws.com
+ LATEST_IP=<real-ip-value>
+ IP=<real-ip-value>
+ [[ <real-ip-value> == '' ]]
+ echo <real-ip-value>
<real-ip-value>
+ GROUPID=sg-0483809ca6b8e91d0
+ PORT_FROM=80
+ PORT_TO=80
+ MASK_IP=32
+ DESCRIPTION=Some-description
+ AWS_PROFILE=la
+ echo Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0
Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0
+ aws ec2 authorize-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la
+ echo 'Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0'
Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0
+ aws ec2 revoke-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp":"<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la

【讨论】:

  • 谢谢你,@Marcin 我会试试看——但你为什么认为这没有用?一个端口暂时打开然后关闭不是很好吗?你建议另一种解决方案吗?当然,在打开和关闭之间,我执行了某些操作(备份),我从这个脚本中排除了这些操作。
  • @Aerodynamika 嗨。该脚本只是打开它,然后立即关闭它。所以端口最多会打开几秒钟。最好把它分成两个脚本,一个打开,第二个关闭。
猜你喜欢
  • 2020-12-10
  • 1970-01-01
  • 2021-07-10
  • 1970-01-01
  • 2015-03-21
  • 1970-01-01
  • 1970-01-01
  • 2012-09-06
  • 2021-06-08
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode