3

如何使用“aws ec2”删除给定端口的所有规则?

aws ec2 revoke-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 **--ALL-IP**
4

3 回答 3

3

根据文档,此命令适用于--cidr--source-group。因此,如果您有多个 IP 地址,那么我会说唯一的选择是为单个 IP 地址多次运行相同的命令(其形式为1.1.1.1/32)。

或者,

您可以在文件中以 cidr 格式 (1.1.1.1/32) 列出所有 ipadress(每个 ip 地址在一个新行上),然后for在它上面运行一个循环,为每次迭代运行上面的命令。例如

for i in `cat ip_address_cidr.txt`; do aws ec2 revoke-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 $i; done

我没有测试上述命令语法,但应该这样做,以便您可以在单个单行命令中撤销规则。

于 2013-10-24T04:25:07.973 回答
1

我认为这就是您要查找的内容:如何关闭 AWS 安全组中的所有打开的 SSH 端口

这是特定安全组 ID 的解决方案:

#!/bin/bash

sg = {security group}

# get the cidrs for the ingress rule
rules=$(aws ec2 describe-security-groups --group-ids $sg --output text --query 'SecurityGroups[*].IpPermissions')
# rules will contain something like:
# 22 tcp 22
# IPRANGES 108.42.177.53/32
# IPRANGES 10.0.0.0/16
# 80 tcp 80
# IPRANGES 0.0.0.0/0
# luckily, aws returns all ipranges per port grouped together

# flag for if we are reading ipranges
reading=0
# loop returned lines
while read -r line; do
    # split the line up
    rulebits=($line)
    # check if if we are reading ssh port ipranges
    if [ $reading -eq 0 ] ; then
        # we are not reading ipranges
        # check if '22 tcp 22'
        if [ ${rulebits[0]} == "22" ] && [ ${rulebits[1]} == "tcp" ] && [ ${rulebits[2]} == "22" ] ; then
            # found it
            reading=1           
        fi
    else
        # we are reading ipranges
        # check if first word is 'IPRANGES'
        if [ ${rulebits[0]} == "IPRANGES" ] ; then
            # found a cidr for open ssh port
            cidr=${rulebits[1]}
            echo -n found port 22 open cidr $cidr closing...
            # close it
            result=$(aws ec2 revoke-security-group-ingress --group-id $sg --protocol tcp --port 22 --cidr $cidr --output text)
            if [ "$result" == "true" ] ; then
                echo " OK"
            else
                echo " ERROR"
            fi
        else
            # new port
            reading=0       
        fi
    fi
done
于 2015-05-21T17:59:23.040 回答
1

revoke-security-group-ingress在版本 2 中,我们可以指定多个 IP CIDRS。请参阅下面用 PHP 编写的解决方案,我试图在多个区域和多个 prot 中进行清理。

要在单个命令中指定多个规则,请使用 --ip-permissions 选项https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html

$cleanports = [22,5984];
$sgids = [["sgid"=>"sg1","region"=>"us-east-1"],["sgid"=>"sg1","region"=>"us-east-1"]];
foreach($sgids as $sgidDetail){
    $iprules = json_decode(shell_exec("/usr/bin/aws ec2 describe-security-groups --group-ids {$sgidDetail['sgid']} --region {$sgidDetail['region']} --query 'SecurityGroups[*].IpPermissions'"), true)[0];

    foreach ($iprules as $key => $ips) {
        if(!empty($ips['FromPort']) && !empty($ips['ToPort']) && in_array($ips['FromPort'], $cleanports) && in_array($ips['ToPort'], $cleanports)){
            echo "\n\n";
            echo shell_exec("/usr/bin/aws ec2 revoke-security-group-ingress --group-id {$sgidDetail['sgid']} --region {$sgidDetail['region']} --ip-permissions '".json_encode($ips)."'");
        }        
    }
}
于 2020-06-02T03:56:45.783 回答