社区首页 >问答首页 >用CDK编辑VPC聋安全组

问用CDK编辑VPC聋安全组
EN

Stack Overflow用户

提问于 2022-10-21 00:03:41

回答 1查看 71关注 0票数 -2

如何编辑VPC默认安全性(或任何其他已存在的安全组)？我的目标是使默认的安全组关闭，即没有入口或出口规则。

amazon-web-services

aws-cdk

amazon-vpc

回答 1

Stack Overflow用户

发布于 2022-10-21 21:44:29

有关AWS Python ，请参阅此处的文档https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroupEgress.html

使用AWS boto3 SDK，您可以通过以下方式完成它。在这里，您必须在这里提供VPC的默认安全组。

import logging
import boto3
from botocore.exceptions import ClientError
import json

AWS_REGION = 'us-east-1'

logger = logging.getLogger()
logging.basicConfig(level=logging.INFO,
                    format='%(asctime)s: %(levelname)s: %(message)s')

vpc_client = boto3.client("ec2", region_name=AWS_REGION)


def delete_ingress_rule(security_group_id, ip_permissions):
    # Deletes a security group ingress rule.
    try:
        response = vpc_client.revoke_security_group_ingress(
            GroupId=security_group_id,
            IpPermissions=ip_permissions)

    except ClientError as e:
        logger.exception('Could not delete ingress security group rule.', e)
    else:
        return response


def delete_egress_rule(security_group_id, ip_permissions):
    # Deletes a security group egress rule.
    try:
        response = vpc_client.revoke_security_group_egress(
            GroupId=security_group_id,
            IpPermissions=ip_permissions)

    except ClientError as e:
        logger.exception('Could not delete egress security group rule.', e)
    else:
        return response


if __name__ == '__main__':

    SECURITY_GROUP_ID = "sg-099a2f114393e9258"
    ec2 = boto3.resource('ec2')

    sg = ec2.SecurityGroup(SECURITY_GROUP_ID)

    if sg.ip_permissions:
        logger.info(f'Found {len(sg.ip_permissions)} ingress ip_permissions for security group {SECURITY_GROUP_ID}.')
        logger.info(f'Removing all ip_permissions_egress of security group {SECURITY_GROUP_ID}')
        rule = delete_ingress_rule(SECURITY_GROUP_ID, sg.ip_permissions)
        logger.info(
            f'{SECURITY_GROUP_ID} Security group ip_permissions rule(s) deleted: \n{json.dumps(rule, indent=4)}'
        )
    else:
        logger.info(
            f'Found {len(sg.ip_permissions)} ingress ip_permissions for security group {SECURITY_GROUP_ID}.')
    if sg.ip_permissions_egress:
        logger.info(
            f'Found {len(sg.ip_permissions_egress)} egress ip_permissions for security group {SECURITY_GROUP_ID}.')
        logger.info(f'Removing all ip_permissions_egress of security group {SECURITY_GROUP_ID}')
        rule = delete_egress_rule(SECURITY_GROUP_ID, sg.ip_permissions_egress)
        logger.info(
            f'{SECURITY_GROUP_ID} Security group ip_permissions_egress rule(s) deleted: \n{json.dumps(rule, indent=4)}'
        )
    else:
        logger.info(
            f'Found {len(sg.ip_permissions_egress)} egress ip_permissions for security group {SECURITY_GROUP_ID}.')

输出：

2022-10-24 17:44:25,061: INFO: Found credentials in shared credentials file: ~/.aws/credentials
2022-10-24 17:44:26,393: INFO: Found 2 ingress ip_permissions for security group sg-099a2f114393e9258.
2022-10-24 17:44:26,393: INFO: Removing all ip_permissions_egress of security group sg-099a2f114393e9258
2022-10-24 17:44:27,665: INFO: sg-099a2f114393e9258 Security group ip_permissions rule(s) deleted: 
{
    "Return": true,
    "ResponseMetadata": {
        "RequestId": "7b54821b-25e4-49ba-b67b-054003125a95",
        "HTTPStatusCode": 200,
        "HTTPHeaders": {
            "x-amzn-requestid": "7b54821b-25e4-49ba-b67b-054003125a95",
            "cache-control": "no-cache, no-store",
            "strict-transport-security": "max-age=31536000; includeSubDomains",
            "content-type": "text/xml;charset=UTF-8",
            "content-length": "253",
            "date": "Mon, 24 Oct 2022 12:14:26 GMT",
            "server": "AmazonEC2"
        },
        "RetryAttempts": 0
    }
}
2022-10-24 17:44:27,665: INFO: Found 2 egress ip_permissions for security group sg-099a2f114393e9258.
2022-10-24 17:44:27,665: INFO: Removing all ip_permissions_egress of security group sg-099a2f114393e9258
2022-10-24 17:44:28,177: INFO: sg-099a2f114393e9258 Security group ip_permissions_egress rule(s) deleted: 
{
    "Return": true,
    "ResponseMetadata": {
        "RequestId": "8bd10e3d-ed59-42f9-8f79-ba83f5985229",
        "HTTPStatusCode": 200,
        "HTTPHeaders": {
            "x-amzn-requestid": "8bd10e3d-ed59-42f9-8f79-ba83f5985229",
            "cache-control": "no-cache, no-store",
            "strict-transport-security": "max-age=31536000; includeSubDomains",
            "content-type": "text/xml;charset=UTF-8",
            "content-length": "251",
            "date": "Mon, 24 Oct 2022 12:14:27 GMT",
            "server": "AmazonEC2"
        },
        "RetryAttempts": 0
    }
}

如果要删除默认VPC的所有入口和出口规则，可以使用以下基于VPC_ID的方法。

import boto3

VPC_ID = "vpc-0b27a2237825184ae"

ec2 = boto3.resource('ec2')
vpc = ec2.Vpc(VPC_ID)

try:
    vpc_security_group_default_iterator = vpc.security_groups.filter(
        # GroupIds=['string'], # The IDs of the security groups. Required for security groups in a non-default VPC.
        GroupNames=['default']
    )
    for vpc_security_group_default_it in vpc_security_group_default_iterator:
        print(vpc_security_group_default_it)
        try:
            vpc_security_group_default_it.revoke_ingress(IpPermissions=vpc_security_group_default_it.ip_permissions)
            vpc_security_group_default_it.revoke_egress(
                IpPermissions=vpc_security_group_default_it.ip_permissions_egress)
        except Exception as e:
            print(e)

except Exception as e:
    print(e)