是否可以复制 AWS 安全组?

tag-icon tag-icon security amazon-web-services
是否可以复制 AWS 安全组?

我们有一些安全组,其中包含相当多的规则。与其为了适应细微的差异而为许多安全组重新创建相同的规则,是否可以复制一个安全组作为起点,或者使用继承等?

答案1

似乎无法从 Web 界面复制安全组。不过,您可以使用AWS CLI创建安全组

命令 :

$ aws ec2 describe-security-groups --group-id MySecurityGroupID

输出 :

{
    "securityGroupInfo": [
        {
            "ipPermissionsEgress": [],
            "groupId": "sg-903004f8",
            "ipPermissions": [],
            "groupName": "MySecurityGroup",
            "ownerId": "803981987763",
            "groupDescription": "AWS-CLI-Example"
        }
    ],
    "requestId": "afb680df-d7b1-4f6a-b1a7-344fdb1e3532"
}

并使用命令添加规则:

aws ec2 authorize-security-group-ingress --group-id MySecurityGroupID --ip-protocol tcp --from-port 22 --to-port 22 --cidr-ip 0.0.0.0/0

输出:

{
    "return": "true",
    "requestId": "c24a1c93-150b-4a0a-b56b-b149c0e660d2"
}

从那里您应该能够弄清楚如何简化安全组的创建。

答案2

AWS EC2 控制台现在允许您选择安全组并在 UI 中执行“复制到新的”操作。

答案3

这是我编写的自定义库中的“复制安全组”python / boto 方法,旨在使这些事情变得更容易/自动化。最终这是我想到的解决方案。

vpcId is the Virtual Private Cloud Id
keys is a dictionary with your AWS keys

其余的事情就很容易解决了。

def copyEC2SecurityGroup(self, keys, region, securityGroupName, newSecurityGroupName = None, newRegion = None, vpcId = None):


newEc2Connection = None
print("Creating ec2Connection for source region: " + region)
ec2Connection = lib.getEc2Connection(region, keys)

if newRegion is None:
    newRegion = region
else:
    print("New Region Detected, creating for New region: " + newRegion)
    newEc2Connection = lib.getEc2Connection(newRegion, keys)
    newRegionInfo = newEc2Connection.region

print("new region is: %s" % newRegion)

if newSecurityGroupName is None:
    newSecurityGroupName = securityGroupName

print ("new security group is: %s" % newSecurityGroupName)

# if copying in the same region the new security group cannot have the same name.
if newRegion == region:
    if newSecurityGroupName == securityGroupName:
        print ("Old and new security groups cannot have the same name when copying to the same region.")
        exit(1)

groups = [group for group in ec2Connection.get_all_security_groups() if group.name == securityGroupName]
print"got groups count " + str(len(groups))
if groups:
    theOldGroup = groups[0]
    print theOldGroup.rules
else:
    print("Can't find security group by the name of: %s" % securityGroupName)
    exit(1)
print groups
pprint(theOldGroup)

if newEc2Connection is not None:
    print("Creating new security group in new region")
    sg = newEc2Connection.create_security_group(newSecurityGroupName, newSecurityGroupName, vpcId)
    sleep(5)
else:
    print("Creating new security group in current region")
    sg = ec2Connection.create_security_group(newSecurityGroupName, newSecurityGroupName, vpcId)
    sleep(5)

source_groups = []
for rule in theOldGroup.rules:
    for grant in rule.grants:
        strGrant = str(grant)
        print(strGrant)
        if strGrant.startswith("sg"):
            print("Cannot copy 'security group rule' (%s)... only cidr_ip's e.g. xxx.xxx.xxx.xxx/yy." % strGrant)
            continue
        grant_nom = grant.name or grant.group_id
        if grant_nom:
            if grant_nom not in source_groups:
                source_groups.append(grant_nom)
                sg.authorize(rule.ip_protocol, rule.from_port, rule.to_port, grant)
        else:
            sg.authorize(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip)
return sg

答案4

考虑看看这个博客。它可能会对你正在看的内容有用。

http://ry4an.org/unblog/post/ec2_security_group_tools/

相关内容