Updating Amazon AWS Security Group via CLI

Updating Amazon AWS Security Group via CLI

When there is need often to log in to your AWS hosted EC2 instance, and you care at least a bit about security, one will need to update the Security Group „Inbound rules“ to allows SSH connection from your current IP address to your Amazon AWS hosted server.

You have two option to do so:

  1. Log In to AWS Management Console and click through the menus, until you find where to update your „Inbound Rules“ for the specific Security Group.
  2. Or: You just prepare a simple script that will use the Amazon CLI and update the rules, investing now ten minutes of your time.

I will show you how to implement the Security Group updates through AWS CLI for Windows. Of course, you may use it for other ports than just SSH.

  1. Download and install the CLI for Windows as MSI Installer or via PIP or bundled installer, when on Linux OS X or Unix.
  2. Test if AWS CLI is working, by opening a command prompt, running  aws --version
  3. Login into AWS Management Console and navigate to your Dashboard, showing user details.
    Login to Amazon AWS Console

    Login to Amazon AWS Console

  4. Create a new user here and keep the „Generate an access key for each user“ option activated.
Create new user in AWS

Create a new user in AWS – Step 1

Create a new user in AWS – Step 2

 

  • Click on „Download Credentials“ and save them to a secure place.
  • AWS: Download your credentials

    AWS: Download your credentials

  • Next click on the just created user and add the desired permissions by click on „Attach Policy“.
    1. Best idea is here to just add the policies that are needed for that user. Keep it to the needed minimum!
  • AWS - User Policies - Attach a Policy

    AWS – User Policies – Attach a Policy

  • Check and note down the Security Group ID and hosting region of the machine you are going to manage the SSH access to. You will find these information in the EC2 Dashboard
    1. Most likely you are using a specific region for hosting. In my case, I have all my instances running in Frankfurt (that is EU central region, or for the CLI-settings: „eu-central-1“)
  • EC2 Dashboard, Security Groups

    EC2 Dashboard, Security Groups

  • Start again a command prompt and set up your AWS CLI by adding the just noted information to aws config. To find the AWS available regions and endpoints you can enter for the region name, surf to the AWS docs.
    C
    urrently available regions for Amazon EC2 are:

    Region Name Region Endpoint Protocol
    US East (N. Virginia) us-east-1 ec2.us-east-1.amazonaws.com HTTP and HTTPS
    US West (Oregon) us-west-2 ec2.us-west-2.amazonaws.com HTTP and HTTPS
    US West (N. California) us-west-1 ec2.us-west-1.amazonaws.com HTTP and HTTPS
    EU (Ireland) eu-west-1 ec2.eu-west-1.amazonaws.com HTTP and HTTPS
    EU (Frankfurt) eu-central-1 ec2.eu-central-1.amazonaws.com HTTP and HTTPS
    Asia Pacific (Singapore) ap-southeast-1 ec2.ap-southeast-1.amazonaws.com HTTP and HTTPS
    Asia Pacific (Sydney) ap-southeast-2 ec2.ap-southeast-2.amazonaws.com HTTP and HTTPS
    Asia Pacific (Tokyo) ap-northeast-1 ec2.ap-northeast-1.amazonaws.com HTTP and HTTPS
    South America (Sao Paulo) sa-east-1 ec2.sa-east-1.amazonaws.com HTTP and HTTPS
  • When you set up your AWS CLI, try to get information about your Security Group, by invoking  aws ec2 describe-security-groups --group-ids SEC_GROUP_OF_YOUR_MACHINE. As we set our response format to „JSON“ before, the feedback will look somehow like the following: You can see, that the inbound traffic to ports 443 (HTTPS) and 80 (HTTPS) is opened to  "CidrIp": "0.0.0.0/0" (what means „open to the world“) and the SSH port (22) is just opened for a specifc IP address.
  • With a simple  ec2 authorize-security-group-ingress --group-id sg-fbGROUPID --protocol tcp --port 22 --cidr YOUR_IP/24 you can open the SSH port for as specific Security Group. By that way you can also add other rules to your Security Group. By  aws ec2 revoke-security-group-ingress you can revoke rules for a specific port and IP (range)
  • You may add two simple batch files to Windows, assuming you have curl installed:

    to enable access to your machine via SSH and when you are done with your administration task, you just run:

    We are just utilizing Amazon „What is my IP“ service for that. 🙂  Keep in mind, when your IP address changes while this rule is active, you should check in your AWS Console settings, that you delete the added rule. You can not delete all rules for a specific port through the CLI that easy, you might use additional groups for that.

    I am using these simple scripts in my mRemoteNG as „External programs“ and can just start them directly before connecting to my servers.

    By | 2017-01-29T10:31:47+00:00 Oktober 10th, 2015|DevOps - Server and Technologies and virtualization, Internet and Web Engineering|1 Comment

    Share This Story, Choose Your Platform!

    One Comment

    1. Günther S. 11. Oktober 2015 at 12:56 - Reply

      Thank you for this posting. I was searching on how to update these rules by CLI for a while!
      On Linux it is easy, but „curl“ for Windows does it!

    Leave A Comment