Config를 이용해서 Ec2-SecurityGroup REVOKE

Config 만들때 전체 보안그룹 이벤트 확인

 

람다에 Config가 접근할 수 있도록 권한 추가하기

aws lambda add-permission --function-name <람다 이름> --action lambda:InvokeFunction --statement-id config --principal config.amazonaws.com

 

 

Python Code

import json
import boto3
from datetime import datetime

ec2 = boto3.resource('ec2')

def lambda_handler(event, context):
    instance_name = "wsi-test"
    inbound_ports = [22, 80, 3306]
    outbound_ports = [22, 80, 443]
    
    instances = ec2.instances.filter(Filters=[{'Name': 'tag:Name', 'Values': [instance_name]}])
    for instance in instances:
        instance_id = instance.id
        security_groups = instance.security_groups
        for sg in security_groups:
            security_group = ec2.SecurityGroup(sg['GroupId'])
            
            # 인바운드 규칙 삭제
            ingress_permissions = security_group.ip_permissions
            for permission in ingress_permissions:
                if 'FromPort' in permission and permission['FromPort'] not in inbound_ports:
                    security_group.revoke_ingress(
                        IpPermissions=[permission]
                    )
                else:
                    pass
                    
            # 아웃바운드 규칙 삭제
            egress_permissions = security_group.ip_permissions_egress
            for permission in egress_permissions:
                if 'FromPort' in permission and permission['FromPort'] not in outbound_ports:
                    security_group.revoke_egress(
                        IpPermissions=[permission]
                    )
                else:
                    pass
                    
            # 인바운드 규칙 추가
            for port in inbound_ports:
                try:
                    security_group.authorize_ingress(
                        IpPermissions=[{'IpProtocol': 'tcp', 'FromPort': port, 'ToPort': port, 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]
                    )
                except Exception as e:
                    pass
            
            # 아웃바운드 규칙 추가
            for port in outbound_ports:
                try:
                    security_group.authorize_egress(
                        IpPermissions=[{'IpProtocol': 'tcp', 'FromPort': port, 'ToPort': port, 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]
                    )
                except Exception as e:
                    pass
            print(f"Security group rules updated for {sg['GroupId']}")