如何将出口规则应用于默认安全组 - AWS

如何将出口规则应用于默认安全组 - AWS

我想将端口 443 出站规则应用于“默认”安全组。它通过创建专用块来实现出站规则(注释掉了)。我不想创建新块,而是想通过引用第二个 SecurityGroupEgress 块下的 VPC.defaultsecuritygroup 在 WebServerSecurityGroup 资源本身中应用规则。但是,它不起作用。请您建议我如何实现这一点。

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS CloudFormation Sample Template VPC_with_PublicIPs_And_DNS: Sample
  template that creates a VPC with DNS and public IPs enabled. Note that you are billed
  for the AWS resources that you use when you create a stack from this template.'
Parameters:
  KeyPair:
    Description: Name of the keypair to use for SSH access
    Type: String
  Name:
    Description: Name of the keypair to use for SSH access
    Type: String
    Default: LinuxMachine  
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      CidrBlock: 10.0.0.0/16
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: VPC
      CidrBlock: 10.0.0.0/24
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId:
        Ref: VPC
      InternetGatewayId:
        Ref: InternetGateway
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId:
        Ref: VPC
  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      RouteTableId:
        Ref: PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId:
        Ref: InternetGateway
  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId:
        Ref: PublicSubnet
      RouteTableId:
        Ref: PublicRouteTable
  PublicSubnetNetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId:
        Ref: PublicSubnet
      NetworkAclId:
        Fn::GetAtt:
        - VPC
        - DefaultNetworkAcl
  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable HTTP ingress
      VpcId:
        Ref: VPC
  # Apply outbound rules to ec2 security group      
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '80'
        ToPort: '80'
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: '22'
        ToPort: '22'
        CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: '443'
        ToPort: '443'
        CidrIp: 127.0.0.0/0
# WIP - Default Security group        
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: '443'
        ToPort: '443'
        CidrIp: 0.0.0.0/0
        GroupId: !GetAtt VPC.DefaultSecurityGroup

# Apply outbound rules to 'Default' Security Group
  # OutboundRule:  
  #   Type: AWS::EC2::SecurityGroupEgress
  #   Properties:
  #       GroupId:
  #         Fn::GetAtt:
  #           - VPC
  #           - DefaultSecurityGroup
  #       IpProtocol: tcp
  #       FromPort: '443'
  #       ToPort: '443'
  #       CidrIp: 0.0.0.0/0 

  WebServerInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.micro
      ImageId: ami-09e67e426f25ce0d7
      Tags:
        - Key: Name
          Value: !Ref Name
      NetworkInterfaces:
      - GroupSet:
        - Ref: WebServerSecurityGroup
        AssociatePublicIpAddress: 'true'
        DeviceIndex: '0'
        DeleteOnTermination: 'true'
        SubnetId:
          Ref: PublicSubnet
      KeyName:
        Ref: KeyPair


答案1

你不能CidrIp同时拥有两者GroupId出口规则。一个或另一个。这有效:

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      CidrBlock: 10.0.0.0/16
  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable HTTP ingress
      VpcId:
        Ref: VPC
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '80'
        ToPort: '80'
        CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: '443'
        ToPort: '443'
        DestinationSecurityGroupId: !GetAtt VPC.DefaultSecurityGroup

它创建出站规则默认安全组要求:

安全组

但这真的是你想要的吗?为什么你要允许访问不存在的实例默认SG?它确实不存在,因为我们刚刚创建了 VPC……


还可以从0.0.0.0/0也不是一个好主意 -改用 SSM您根本不需要打开入站 SSH。127.0.0.0/0如果有的话应该是 /8,但实际上这不是必需的,因为本地主机流量不受安全组的控制。

希望有帮助:)

相关内容