Bil*_*mus 20 security amazon-web-services
我们有一些安全组,其中有很多规则。与其为了适应细微差别而不必为多个安全组重新创建相同的规则,是否可以复制一个安全组以用作起点,或使用继承等?
rtf*_*rtf 18
看起来您无法从 Web 界面复制安全组。但是,您可以使用AWS CLI来创建安全组:
命令 :
$ aws ec2 describe-security-groups --group-id MySecurityGroupID
输出 :
{
"securityGroupInfo": [
{
"ipPermissionsEgress": [],
"groupId": "sg-903004f8",
"ipPermissions": [],
"groupName": "MySecurityGroup",
"ownerId": "803981987763",
"groupDescription": "AWS-CLI-Example"
}
],
"requestId": "afb680df-d7b1-4f6a-b1a7-344fdb1e3532"
}
并使用命令添加规则:
aws ec2 authorize-security-group-ingress --group-id MySecurityGroupID --ip-protocol tcp --from-port 22 --to-port 22 --cidr-ip 0.0.0.0/0
输出:
{
"return": "true",
"requestId": "c24a1c93-150b-4a0a-b56b-b149c0e660d2"
}
从那里您应该能够弄清楚如何简化安全组的创建。
这是我编写的自定义库中的“复制安全组”python/boto 方法,目的是使这些事情变得更容易/自动化。最终,这是我想出的解决方案。
vpcId is the Virtual Private Cloud Id
keys is a dictionary with your AWS keys
其余的应该很容易弄清楚。
def copyEC2SecurityGroup(self, keys, region, securityGroupName, newSecurityGroupName = None, newRegion = None, vpcId = None):
newEc2Connection = None
print("Creating ec2Connection for source region: " + region)
ec2Connection = lib.getEc2Connection(region, keys)
if newRegion is None:
newRegion = region
else:
print("New Region Detected, creating for New region: " + newRegion)
newEc2Connection = lib.getEc2Connection(newRegion, keys)
newRegionInfo = newEc2Connection.region
print("new region is: %s" % newRegion)
if newSecurityGroupName is None:
newSecurityGroupName = securityGroupName
print ("new security group is: %s" % newSecurityGroupName)
# if copying in the same region the new security group cannot have the same name.
if newRegion == region:
if newSecurityGroupName == securityGroupName:
print ("Old and new security groups cannot have the same name when copying to the same region.")
exit(1)
groups = [group for group in ec2Connection.get_all_security_groups() if group.name == securityGroupName]
print"got groups count " + str(len(groups))
if groups:
theOldGroup = groups[0]
print theOldGroup.rules
else:
print("Can't find security group by the name of: %s" % securityGroupName)
exit(1)
print groups
pprint(theOldGroup)
if newEc2Connection is not None:
print("Creating new security group in new region")
sg = newEc2Connection.create_security_group(newSecurityGroupName, newSecurityGroupName, vpcId)
sleep(5)
else:
print("Creating new security group in current region")
sg = ec2Connection.create_security_group(newSecurityGroupName, newSecurityGroupName, vpcId)
sleep(5)
source_groups = []
for rule in theOldGroup.rules:
for grant in rule.grants:
strGrant = str(grant)
print(strGrant)
if strGrant.startswith("sg"):
print("Cannot copy 'security group rule' (%s)... only cidr_ip's e.g. xxx.xxx.xxx.xxx/yy." % strGrant)
continue
grant_nom = grant.name or grant.group_id
if grant_nom:
if grant_nom not in source_groups:
source_groups.append(grant_nom)
sg.authorize(rule.ip_protocol, rule.from_port, rule.to_port, grant)
else:
sg.authorize(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip)
return sg
| 归档时间: |
|
| 查看次数: |
28581 次 |
| 最近记录: |