AWS : CLI - 3

AWS CLI & & Security Group

Sometimes it is so annoying to update the rules of security group one by one, because of the change of your public IP address. Following is a script to make such change easier.

The script will only update the SSH / RDP protocals of specified the security groups. The SSH and RDP are most popular ones which allow admin to access the remote EC2.

  • Preparation

    • Update OLD_IPS with your old IP address

    • Update RDP_SG_LIST and SSH_SG_LIST with your actual secuirty group IDs

    • Update PROFILE if your default profile is different

      # Profile 
      PROFILE=default
      
      # Log file 
      LOG=aws_sg.log
      
      # Old IP list - Update your old IP address here.
      OLD_IPS=(
      10.100.0.0
      )
      
      __show_sg_ids() {
      aws ec2 --profile $PROFILE describe-security-groups \
      --output json \
      --filters "Name=group-name,Values=*Bastion*" \
      --query 'SecurityGroups[*].{Name:GroupName,ID:GroupId,permissions:IpPermissions[*]}' | jq
      }
      
      __get_perm() {
      PROTOCOL=$1
      if [[ $PROTOCOL == "ssh" ]]; then
      PERM='[{"IpProtocol":"tcp","FromPort":22,"ToPort":22,"IpRanges":[{"CidrIp":"IP_ADDRESS/32"}]}]'
      elif [[ $PROTOCOL == "rdp" ]]; then
      PERM='[{"IpProtocol":"tcp","FromPort":3389,"ToPort":3389,"IpRanges":[{"CidrIp":"IP_ADDRESS/32"}]}]'
      fi
      echo $PERM
      }
      
      __get_desc() {
      PROTOCOL=$1
      if [[ $PROTOCOL == "ssh" ]]; then
      DESC='[{"IpProtocol":"tcp","FromPort":22,"ToPort":22,"IpRanges":[{"CidrIp":"IP_ADDRESS/32","Description":"Harry"}]}]'
      elif [[ $PROTOCOL == "rdp" ]]; then
      DESC='[{"IpProtocol":"tcp","FromPort":3389,"ToPort":3389,"IpRanges":[{"CidrIp":"IP_ADDRESS/32","Description":"Harry"}]}]'
      fi
      echo $DESC
      }
      
      
      __show_ips() {
      aws ec2 --profile $PROFILE \
      describe-security-groups \
      --output json \
      --query 'SecurityGroups[*].{Name:GroupName,ID:GroupId,permissions:IpPermissions[*]}' | grep -i "Harry" -C 2
      }
      
      __update_sg() {
      PROTOCOL=$1
      SGID=$2
      OIP=$3
      NIP=$4
      
      echo $PROFILE $SG $OIP $NIP | tee -a $LOG
      
      PERM=$(__get_perm $PROTOCOL)
      DESC=$(__get_desc $PROTOCOL)
      
      OLD_PERM=${PERM/"IP_ADDRESS"/$OIP}
      NEW_PERM=${PERM/"IP_ADDRESS"/$NIP}
      NEW_DESC=${DESC/"IP_ADDRESS"/$NIP}
      
      echo $OLD_PERM | tee -a $LOG
      
      echo $NEW_PERM | tee -a $LOG
      echo $NEW_DESC | tee -a $LOG
      
      aws ec2 --profile $PROFILE \
      revoke-security-group-ingress \
      --group-id $SGID --ip-permissions $OLD_PERM
      
      aws ec2 --profile $PROFILE \
      authorize-security-group-ingress \
      --group-id $SGID \
      --ip-permissions $NEW_PERM
      
      aws ec2 --profile $PROFILE \
      update-security-group-rule-descriptions-ingress \
      --group-id $SGID --ip-permissions $NEW_DESC
      
      aws ec2 --profile $PROFILE \
      describe-security-groups \
      --output json \
      --group-ids $SGID | jq
      
      }
      
      # Update the rule with RDP 
      update_rdp_sg() {
      OIP=$1
      NIP=$2
      
      RDP_SG_LIST=(
      sg-0123456789 
      sg-9876543210
      )
      echo " :::::::::::: PROFILE - rdp :::::::::::: " | tee -a $LOG
      for SG in "${RDP_SG_LIST[@]}"; do
      __update_sg rdp $SG $OIP $NIP
      done
      __show_ips
      }
      
      # Update the rule with SSH 
      update_ssh_sg() {
      OIP=$1
      NIP=$2
      
      SSH_SG_LIST=(
      sg-aaaaaaaaaaa 
      sg-bbbbbbbbbbb
      )
      echo " :::::::::::: PROFILE - ssh :::::::::::: " | tee -a $LOG
      for SG in "${SSH_SG_LIST[@]}"; do
      __update_sg ssh $SG $OIP $NIP
      done
      __show_ips
      }
      
      
      main() {
      echo 'Start...' $(date) | tee -a $LOG
      
      PROFILE=$1
      
      echo "profile $PROFILE " | tee -a $LOG
      
      echo 'You can pass profile name as 1st parameter to overwrite the default setting.'
      
      for OLD_IP in ${OLD_IPS[@]}; do
      NEW_IP=$(curl ifconfig.me)
      
      echo Old IP $OLD_IP | tee -a $LOG
      echo New IP $NEW_IP | tee -a $LOG
      
      # Update RDP bastion
      update_rdp_sg $OLD_IP $NEW_IP
      
      # Update SSH bastion
      update_ssh_sg $OLD_IP $NEW_IP
      done
      echo "DONE $(date) !!!!!!!!!! " | tee -a $LOG
      
      }
      
      main $@
      
      
  • How to use > ./update_sg.sh

    ./update_sg.sh profile_A 
    ./update_sg.sh profile_B