When there is need often to log in to your AWS hosted EC2 instance, and you care at least a bit about security, one will need to update the Security Group „Inbound rules“ to allows SSH connection from your current IP address to your Amazon AWS hosted server.
You have two option to do so:
- Log In to AWS Management Console and click through the menus, until you find where to update your „Inbound Rules“ for the specific Security Group.
- Or: You just prepare a simple script that will use the Amazon CLI and update the rules, investing now ten minutes of your time.
I will show you how to implement the Security Group updates through AWS CLI for Windows. Of course, you may use it for other ports than just SSH.
- Download and install the CLI for Windows as MSI Installer or via PIP or bundled installer, when on Linux OS X or Unix.
- Test if AWS CLI is working, by opening a command prompt, running aws –version
- Login into AWS Management Console and navigate to your Dashboard, showing user details.
Login to Amazon AWS Console
- Create a new user here and keep the „Generate an access key for each user“ option activated.
Create a new user in AWS – Step 1
Create a new user in AWS – Step 2
- Click on „Download Credentials“ and save them to a secure place.
AWS: Download your credentials
- Next click on the just created user and add the desired permissions by click on „Attach Policy“.
- Best idea is here to just add the policies that are needed for that user. Keep it to the needed minimum!
AWS – User Policies – Attach a Policy
- Check and note down the Security Group ID and hosting region of the machine you are going to manage the SSH access to. You will find these information in the EC2 Dashboard
- Most likely you are using a specific region for hosting. In my case, I have all my instances running in Frankfurt (that is EU central region, or for the CLI-settings: „eu-central-1“)
EC2 Dashboard, Security Groups
- Start again a command prompt and set up your AWS CLI by adding the just noted information to aws config.
aws configure AWS Access Key ID
[None]: Your_AWS_Access_Key_ID_fromJustCreatedUser AWS Secret Access Key [None]: Same_for_the_secret_access_key Default region name [None]: eu-central-1 Default output format [None]: jsonTo find the AWS available regions and endpoints you can enter for the region name, surf to the AWS docs.
Currently available regions for Amazon EC2 are:Region Name Region Endpoint Protocol US East (N. Virginia) us-east-1 ec2.us-east-1.amazonaws.com HTTP and HTTPS US West (Oregon) us-west-2 ec2.us-west-2.amazonaws.com HTTP and HTTPS US West (N. California) us-west-1 ec2.us-west-1.amazonaws.com HTTP and HTTPS EU (Ireland) eu-west-1 ec2.eu-west-1.amazonaws.com HTTP and HTTPS EU (Frankfurt) eu-central-1 ec2.eu-central-1.amazonaws.com HTTP and HTTPS Asia Pacific (Singapore) ap-southeast-1 ec2.ap-southeast-1.amazonaws.com HTTP and HTTPS Asia Pacific (Sydney) ap-southeast-2 ec2.ap-southeast-2.amazonaws.com HTTP and HTTPS Asia Pacific (Tokyo) ap-northeast-1 ec2.ap-northeast-1.amazonaws.com HTTP and HTTPS South America (Sao Paulo) sa-east-1 ec2.sa-east-1.amazonaws.com HTTP and HTTPS - When you set up your AWS CLI, try to get information about your Security Group, by invoking aws ec2 describe-security-groups –group-ids SEC_GROUP_OF_YOUR_MACHINE. As we set our response format to „JSON“ before, the feedback will look somehow like the following:
{ "SecurityGroups": [ { "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "UserIdGroupPairs": [], "PrefixListIds": [] } ], "Description": "Description of Security Group", "Tags": [ { "Value": "seiler.it", "Key": "Name" } ], "IpPermissions": [ { "PrefixListIds": [], "FromPort": 443, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "ToPort": 443, "IpProtocol": "tcp", "UserIdGroupPairs": [] }, { "PrefixListIds": [], "FromPort": 80, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "ToPort": 80, "IpProtocol": "tcp", "UserIdGroupPairs": [] }, { "PrefixListIds": [], "FromPort": 22, "IpRanges": [ { "CidrIp": "YOUR_IP/32" } ], "ToPort": 22, "IpProtocol": "tcp", "UserIdGroupPairs": [] } ], "GroupName": "The name of your security group", "VpcId": "vpc-ID", "OwnerId": "OWNER_ID", "GroupId": "sg-YOUR_GROUP_ID" } ] }You can see, that the inbound traffic to ports 443 (HTTPS) and 80 (HTTPS) is opened to „CidrIp“: „0.0.0.0/0“ (what means „open to the world“) and the SSH port (22) is just opened for a specifc IP address.
- With a simple ec2 authorize-security-group-ingress –group-id sg-fbGROUPID –protocol tcp –port 22 –cidr YOUR_IP/24 you can open the SSH port for as specific Security Group. By that way you can also add other rules to your Security Group. By aws ec2 revoke-security-group-ingress you can revoke rules for a specific port and IP (range)
You may add two simple batch files to Windows, assuming you have curl installed:
@echo off set VAR = for /f %%i in ('curl http://checkip.amazonaws.com/') do set VAR=%%i aws ec2 authorize-security-group-ingress --group-id sg-fbeYOURGROUPID --protocol tcp --port 22 --cidr %VAR%/24to enable access to your machine via SSH and when you are done with your administration task, you just run:
@echo off set VAR = for /f %%i in ('curl http://checkip.amazonaws.com/') do set VAR=%%i aws ec2 revoke-security-group-ingress --group-id sg-fbeYOURGROUPID --protocol tcp --port 22 --cidr %VAR%/24We are just utilizing Amazon „What is my IP“ service for that. 🙂 Keep in mind, when your IP address changes while this rule is active, you should check in your AWS Console settings, that you delete the added rule. You can not delete all rules for a specific port through the CLI that easy, you might use additional groups for that.
I am using these simple scripts in my mRemoteNG as „External programs“ and can just start them directly before connecting to my servers.
Thank you for this posting. I was searching on how to update these rules by CLI for a while!
On Linux it is easy, but „curl“ for Windows does it!