By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

export and import security group rules

0

We have a big ugly mess with the rules for a particular group of servers. I'd like to export them, edit them and import them again. I was successful in exporting the rules as a CSV, though the import is a bit flawed, but I can't find any way to import them again. Am I missing something or was this a one-way operation?
Failing this, can I dump the rules in one group as, for instance, json or yaml, or even xml, edit them externally, and put them back? Please help me by telling me AWS CLI command names, console operations, or whatever is available. I'm perfectly willing to read and research, but I haven't found a starting point.

Topics
Networking & Content Delivery
Tags
Security Group
Language
English
Ed Greenberg
asked a year ago3442 views
1 Answer
1
Accepted Answer

Hello,

Exporting Security Groups through the management console is primarily a tool that could be used to perform manual audits, as it sounds like is the case here.

For export/import functionality, I would also recommend using the AWS CLI or API. If using the CLI, we can use the aws ec2 describe-security-group-rules command to provide a listing of all rules of a particular group, with output in JSON format (see example).

aws ec2 describe-security-group-rules --filter Name="group-id",Values="sg-0a53fe4abed0bb1e6"

{
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-0c6a87099ccb11a83",
            "GroupId": "sg-0a53fe4abed0bb1e6",
            "GroupOwnerId": "aws_account_number",
            "IsEgress": true,
            "IpProtocol": "-1",
            "FromPort": -1,
            "ToPort": -1,
            "CidrIpv4": "0.0.0.0/0",
            "Tags": []
        },
        {
            "SecurityGroupRuleId": "sgr-013f9801176513efb",
            "GroupId": "sg-0a53fe4abed0bb1e6",
            "GroupOwnerId": "aws_account_number",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22,
            "CidrIpv4": "0.0.0.0/0",
            "Description": "Allow SSH",
            "Tags": []
        }
    ]
}

Now let's say that we want to add an additional ingress rule to this group, in which case we can use the aws ec2 authorize-security-group-ingress command to insert a rule into a group.

aws ec2 authorize-security-group-ingress --group-id sg-0a53fe4abed0bb1e6 --protocol tcp --port 80 --cidr 0.0.0.0/0
{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-0ff1df36f6377d6eb",
            "GroupId": "sg-0a53fe4abed0bb1e6",
            "GroupOwnerId": "aws_account_number",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIpv4": "0.0.0.0/0"
        }
    ]
}

Now we can again return to use the aws ec2 describe-security-group-rules command to verify the complete group configuration.

aws ec2 describe-security-group-rules --filter Name="group-id",Values="sg-0a53fe4abed0bb1e6"
{
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-0c6a87099ccb11a83",
            "GroupId": "sg-0a53fe4abed0bb1e6",
            "GroupOwnerId": "aws_account_number",
            "IsEgress": true,
            "IpProtocol": "-1",
            "FromPort": -1,
            "ToPort": -1,
            "CidrIpv4": "0.0.0.0/0",
            "Tags": []
        },
        {
            "SecurityGroupRuleId": "sgr-0ff1df36f6377d6eb",
            "GroupId": "sg-0a53fe4abed0bb1e6",
            "GroupOwnerId": "aws_account_number",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIpv4": "0.0.0.0/0",
            "Tags": []
        },
        {
            "SecurityGroupRuleId": "sgr-013f9801176513efb",
            "GroupId": "sg-0a53fe4abed0bb1e6",
            "GroupOwnerId": "aws_account_number",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22,
            "CidrIpv4": "0.0.0.0/0",
            "Description": "Allow SSH",
            "Tags": []
        }
    ]
}

AWS CLI Describe Security Group Rules https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-security-group-rules.html

AWS CLI Authorize Security Group Ingress https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html

Also, if ongoing validation and remediation of security group configuration is of concern, I would suggest investigating AWS Firewall Manager as you can use it to build security group policies for audit/enforcement/remediation of security group configurations.

https://docs.aws.amazon.com/waf/latest/developerguide/security-group-policies.html

profile pictureAWS
Darren R
answered a year ago
profile pictureAWS
EXPERT
Brettski-AWS
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content