How do I automate the substitution of assigned inbound rules with public IP addresses within and across security groups in AWS?

1
votes

My current setup on EC2 Management Console involves:

  • multiple security groups representing various resources on AWS
  • multiple inbound rules within a security group representing people's public IP addresses that are whitelisted to access the resource

Currently, when a person's public IP address changes because of ISP issues, I have to manually go into EC2MC and change the inbound rule associated with that person to allow them access. There are multiple inbound rules within a security group and multiple security groups that this person is whitelisted for. Rather than changing, for instance, 9 rules manually, I'm wondering if there's a way to launch a script that prompts for the security group name, person's name, and new IP address so that this substitution occurs automatically?

Example layout of security groups

Example layout of inbound rules within a security group

Any advice is appreciated!

1
amazon-web-servicesamazon-ec2aws-security-group

1 Answers

2
votes

This is a pretty straightforward script to write. AWS has an CLI/API for authorize-security-group-ingress and revoke-security-group-ingress. You could do this a Bash script or any language with an AWS SDK. The revocation would be easier if you know their previous IP address, otherwise you may need to make a describe-security-groups call to determine it based on descriptions.

Below are links to the relevant CLI docs:

https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html