Aws
Config를 이용해서 Ec2-SecurityGroup REVOKE
wngnl05
2024. 12. 27. 14:59
Config 만들때 전체 보안그룹 이벤트 확인
람다에 Config가 접근할 수 있도록 권한 추가하기
aws lambda add-permission --function-name <람다 이름> --action lambda:InvokeFunction --statement-id config --principal config.amazonaws.com
Python Code
더보기
import json
import boto3
from datetime import datetime
ec2 = boto3.resource('ec2')
def lambda_handler(event, context):
instance_name = "wsi-test"
inbound_ports = [22, 80, 3306]
outbound_ports = [22, 80, 443]
instances = ec2.instances.filter(Filters=[{'Name': 'tag:Name', 'Values': [instance_name]}])
for instance in instances:
instance_id = instance.id
security_groups = instance.security_groups
for sg in security_groups:
security_group = ec2.SecurityGroup(sg['GroupId'])
# 인바운드 규칙 삭제
ingress_permissions = security_group.ip_permissions
for permission in ingress_permissions:
if 'FromPort' in permission and permission['FromPort'] not in inbound_ports:
security_group.revoke_ingress(
IpPermissions=[permission]
)
else:
pass
# 아웃바운드 규칙 삭제
egress_permissions = security_group.ip_permissions_egress
for permission in egress_permissions:
if 'FromPort' in permission and permission['FromPort'] not in outbound_ports:
security_group.revoke_egress(
IpPermissions=[permission]
)
else:
pass
# 인바운드 규칙 추가
for port in inbound_ports:
try:
security_group.authorize_ingress(
IpPermissions=[{'IpProtocol': 'tcp', 'FromPort': port, 'ToPort': port, 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]
)
except Exception as e:
pass
# 아웃바운드 규칙 추가
for port in outbound_ports:
try:
security_group.authorize_egress(
IpPermissions=[{'IpProtocol': 'tcp', 'FromPort': port, 'ToPort': port, 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]
)
except Exception as e:
pass
print(f"Security group rules updated for {sg['GroupId']}")