1 回答
- 最新
- 投票最多
- 评论最多
0
【以下的回答经过翻译处理】 通过管理控制台导出安全组主要是一个用于手动审核的工具,正如在这里所使用的情况一样。
对于导入/导出功能,我还建议使用AWS CLI或API。如果使用CLI,我们可以使用aws ec2 describe-security-group-rules
命令提供一个特定组的所有规则列表,输出为JSON格式(请参见示例)。
aws ec2 describe-security-group-rules --filter Name="group-id",Values="sg-0a53fe4abed0bb1e6"
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0c6a87099ccb11a83",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": true,
"IpProtocol": "-1",
"FromPort": -1,
"ToPort": -1,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-013f9801176513efb",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv4": "0.0.0.0/0",
"Description": "Allow SSH",
"Tags": []
}
]
}
现在假设我们想向该组添加一个额外的入站规则,可以使用aws ec2 authorize-security-group-ingress
命令将规则插入到组中。
aws ec2 authorize-security-group-ingress --group-id sg-0a53fe4abed0bb1e6 --protocol tcp --port 80 --cidr 0.0.0.0/0
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0ff1df36f6377d6eb",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv4": "0.0.0.0/0"
}
]
}
现在,我们可以再次返回使用aws ec2 describe-security-group-rules
命令来验证完整的组配置。
aws ec2 describe-security-group-rules --filter Name="group-id",Values="sg-0a53fe4abed0bb1e6"
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0c6a87099ccb11a83",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": true,
"IpProtocol": "-1",
"FromPort": -1,
"ToPort": -1,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-0ff1df36f6377d6eb",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-013f9801176513efb",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv4": "0.0.0.0/0",
"Description": "Allow SSH",
"Tags": []
}
]
}
AWS CLI Describe Security Group Ruleshttps://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-security-group-rules.html
AWS CLI Authorize Security Group Ingresshttps://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html
此外,如果持续验证和纠正安全组配置是一个问题,我建议调查AWS Firewall Manager,因为您可以使用它构建安全组策略,用于审核/强制执行/纠正安全组配置。
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前