用CDK编辑VPC聋安全组
用CDK编辑VPC聋安全组
提问于 2022-10-21 08:03:41
如何编辑VPC默认安全性(或任何其他已存在的安全组)?我的目标是使默认的安全组关闭,即没有入口或出口规则。
回答 1
Stack Overflow用户
发布于 2022-10-22 05:44:29
有关AWS Python ,请参阅此处的文档https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroupEgress.html
使用AWS boto3 SDK,您可以通过以下方式完成它。在这里,您必须在这里提供VPC的默认安全组。
import logging
import boto3
from botocore.exceptions import ClientError
import json
AWS_REGION = 'us-east-1'
logger = logging.getLogger()
logging.basicConfig(level=logging.INFO,
format='%(asctime)s: %(levelname)s: %(message)s')
vpc_client = boto3.client("ec2", region_name=AWS_REGION)
def delete_ingress_rule(security_group_id, ip_permissions):
# Deletes a security group ingress rule.
try:
response = vpc_client.revoke_security_group_ingress(
GroupId=security_group_id,
IpPermissions=ip_permissions)
except ClientError as e:
logger.exception('Could not delete ingress security group rule.', e)
else:
return response
def delete_egress_rule(security_group_id, ip_permissions):
# Deletes a security group egress rule.
try:
response = vpc_client.revoke_security_group_egress(
GroupId=security_group_id,
IpPermissions=ip_permissions)
except ClientError as e:
logger.exception('Could not delete egress security group rule.', e)
else:
return response
if __name__ == '__main__':
SECURITY_GROUP_ID = "sg-099a2f114393e9258"
ec2 = boto3.resource('ec2')
sg = ec2.SecurityGroup(SECURITY_GROUP_ID)
if sg.ip_permissions:
logger.info(f'Found {len(sg.ip_permissions)} ingress ip_permissions for security group {SECURITY_GROUP_ID}.')
logger.info(f'Removing all ip_permissions_egress of security group {SECURITY_GROUP_ID}')
rule = delete_ingress_rule(SECURITY_GROUP_ID, sg.ip_permissions)
logger.info(
f'{SECURITY_GROUP_ID} Security group ip_permissions rule(s) deleted: \n{json.dumps(rule, indent=4)}'
)
else:
logger.info(
f'Found {len(sg.ip_permissions)} ingress ip_permissions for security group {SECURITY_GROUP_ID}.')
if sg.ip_permissions_egress:
logger.info(
f'Found {len(sg.ip_permissions_egress)} egress ip_permissions for security group {SECURITY_GROUP_ID}.')
logger.info(f'Removing all ip_permissions_egress of security group {SECURITY_GROUP_ID}')
rule = delete_egress_rule(SECURITY_GROUP_ID, sg.ip_permissions_egress)
logger.info(
f'{SECURITY_GROUP_ID} Security group ip_permissions_egress rule(s) deleted: \n{json.dumps(rule, indent=4)}'
)
else:
logger.info(
f'Found {len(sg.ip_permissions_egress)} egress ip_permissions for security group {SECURITY_GROUP_ID}.')输出:
2022-10-24 17:44:25,061: INFO: Found credentials in shared credentials file: ~/.aws/credentials
2022-10-24 17:44:26,393: INFO: Found 2 ingress ip_permissions for security group sg-099a2f114393e9258.
2022-10-24 17:44:26,393: INFO: Removing all ip_permissions_egress of security group sg-099a2f114393e9258
2022-10-24 17:44:27,665: INFO: sg-099a2f114393e9258 Security group ip_permissions rule(s) deleted:
{
"Return": true,
"ResponseMetadata": {
"RequestId": "7b54821b-25e4-49ba-b67b-054003125a95",
"HTTPStatusCode": 200,
"HTTPHeaders": {
"x-amzn-requestid": "7b54821b-25e4-49ba-b67b-054003125a95",
"cache-control": "no-cache, no-store",
"strict-transport-security": "max-age=31536000; includeSubDomains",
"content-type": "text/xml;charset=UTF-8",
"content-length": "253",
"date": "Mon, 24 Oct 2022 12:14:26 GMT",
"server": "AmazonEC2"
},
"RetryAttempts": 0
}
}
2022-10-24 17:44:27,665: INFO: Found 2 egress ip_permissions for security group sg-099a2f114393e9258.
2022-10-24 17:44:27,665: INFO: Removing all ip_permissions_egress of security group sg-099a2f114393e9258
2022-10-24 17:44:28,177: INFO: sg-099a2f114393e9258 Security group ip_permissions_egress rule(s) deleted:
{
"Return": true,
"ResponseMetadata": {
"RequestId": "8bd10e3d-ed59-42f9-8f79-ba83f5985229",
"HTTPStatusCode": 200,
"HTTPHeaders": {
"x-amzn-requestid": "8bd10e3d-ed59-42f9-8f79-ba83f5985229",
"cache-control": "no-cache, no-store",
"strict-transport-security": "max-age=31536000; includeSubDomains",
"content-type": "text/xml;charset=UTF-8",
"content-length": "251",
"date": "Mon, 24 Oct 2022 12:14:27 GMT",
"server": "AmazonEC2"
},
"RetryAttempts": 0
}
}如果要删除默认VPC的所有入口和出口规则,可以使用以下基于VPC_ID的方法。
import boto3
VPC_ID = "vpc-0b27a2237825184ae"
ec2 = boto3.resource('ec2')
vpc = ec2.Vpc(VPC_ID)
try:
vpc_security_group_default_iterator = vpc.security_groups.filter(
# GroupIds=['string'], # The IDs of the security groups. Required for security groups in a non-default VPC.
GroupNames=['default']
)
for vpc_security_group_default_it in vpc_security_group_default_iterator:
print(vpc_security_group_default_it)
try:
vpc_security_group_default_it.revoke_ingress(IpPermissions=vpc_security_group_default_it.ip_permissions)
vpc_security_group_default_it.revoke_egress(
IpPermissions=vpc_security_group_default_it.ip_permissions_egress)
except Exception as e:
print(e)
except Exception as e:
print(e)但是在非默认VPC的情况下,boto3文档说使用组名筛选器来按名称描述安全组,在这方面没有足够的文档可用。
通过AWS控制台,遵循以下步骤:
VPC安全组https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#SecurityGroups
- Select您的VPC默认安全组,或者只需使用VPC ID进行筛选,并选择具有默认名称的安全组,
- 编辑入站和出站规则,并删除所有规则。
对地形和CLI也是一样的。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/74150534
复制相关文章
相似问题
腾讯云开发者
