Can I add dns name in aws security group

2019-03-13 05:34发布

问题:

I have to connect my dynamic IP(which changes every time) to the AWS EC2 machine.
For this I mapped my public IP to the domain name(xyz.com), now I am trying to add it to security group.
But AWS security group not allowing to add DNS names. Is it the right process to do it, if not please suggest me.

回答1:

Security Groups and ACLs are not able to resolve DNS hostnames.

You can use the AWS CLI to script the update of your IP dynamic address:

aws ec2 authorize-security-group-ingress --group-id --protocol tcp --port 22 --cidr /24

http://docs.aws.amazon.com/cli/latest/userguide/cli-ec2-sg.html



回答2:

I have used this little bash script to poke a hole in the firewall from my current address:

#!/bin/sh
AWS_IP=$(curl http://checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress --group-name my-security-group \
         --protocol tcp --port 22 \
         --cidr $AWS_IP/32

However, this results in a security group full of swiss-cheese holes from random IP addresses, so you'll want to subsequently ask the question about how to not have a security group with temporary addresses that are no longer yours. One way to answer that problem is to set up a VPN which has a (relatively) stable IP address endpoint, and then allow that single address only through the security group.



回答3:

I create a security group for dynamic ips and each time i run my script delete the ip stored in a file.

This is my solution for windows.

SETLOCAL
@echo off
SET mypath=%~dp0
set PATH=%PATH%;"C:\Program Files\Amazon\AWSCLI\";"C:\Program Files (x86)\PuTTY\";"C:\MyApps\gnuwin32\bin"
set GROUPID=  PUT YOUR DYNAMIC SECURITY GROUP ID HERE
rem aws ec2 create-security-group --group-name dynamic_ips --vpc-id vpc-81a519e5 --description "Dynamic Ip Address"
set /p MYIP=<%mypath%\MYIP_NODELETE.txt
aws ec2 revoke-security-group-ingress --group-id %GROUPID% --protocol tcp --port 0-65535 --cidr %MYIP%/24
wget -qO %mypath%\MYIP_NODELETE.txt http://ipinfo.io/ip
set /p MYIP=<%mypath%\MYIP_NODELETE.txt
aws ec2 authorize-security-group-ingress --group-id %GROUPID% --protocol tcp --port 0-65535 --cidr %MYIP%/24
rem cat %mypath%\MYIP_NODELETE.txt
pause


回答4:

You can't connect a dynamic ip in the manner you want; every time your ip changes, if you want to allow it thru your security groups you will need to change the setting to your new IP.

You could write a little script that you make into an icon on your desktop however that uses the AWS API to re-allow your current ip to make it easier when it changes.



回答5:

AWS security rules only allow IP ranges, called CIDRs, that you can update with the AWS CLI. However, you can't simply update the CIDR of an existing rule, you need to:

  1. delete the old rule: aws ec2 revoke-security-group-ingress ...
  2. create a new rule: aws ec2 authorize-security-group-ingress ...

Example

I've found some form of this script useful to encapsulate the steps necessary:

#!/bin/bash

# == Script Config ===================

# The rule description is used to determine the rule that should be updated.
RULE_DESCRIPTION=My-Rule-Description
SECURITY_GROUP_NAME=My-Security-Group-Name

# ====================================

OLD_CIDR_IP=`aws ec2 describe-security-groups --query "SecurityGroups[?GroupName=='"$SECURITY_GROUP_NAME"'].IpPermissions[*].IpRanges[?Description=='"$RULE_DESCRIPTION"'].CidrIp" --output text`
NEW_IP=`curl -s http://checkip.amazonaws.com`
NEW_CIDR_IP=$NEW_IP'/32'

# If IP has changed and the old IP could be obtained, remove the old rule
if [[ $OLD_CIDR_IP != "" ]] && [[ $OLD_CIDR_IP != $NEW_CIDR_IP ]]; then
    aws ec2 revoke-security-group-ingress --group-name $SECURITY_GROUP_NAME --protocol tcp --port 8080 --cidr $OLD_CIDR_IP
fi

# If the IP has changed and the new IP could be obtained, create a new rule
if [[ $NEW_IP != "" ]] && [[ $OLD_CIDR_IP != $NEW_CIDR_IP ]]; then
   aws ec2 authorize-security-group-ingress --group-name $SECURITY_GROUP_NAME --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 8080, "ToPort": 8080, "IpRanges": [{"CidrIp": "'$NEW_CIDR_IP'", "Description": "'$RULE_DESCRIPTION'"}]}]'
fi

Explanation

This method uses the following 3 AWS CLI commands, taken from the example above with the bash scripting removed.

1) Obtain the CIDR IP of a rule in a specific security group by the rule's description. This command uses JMESPath in the query parameter to return only the data we want:

aws ec2 describe-security-groups --query "SecurityGroups[?GroupName=='MY_SECURITY_GROUP_NAME'].IpPermissions[*].IpRanges[?Description=='MY_RULE_DESCRIPTION'].CidrIp" --output text

2) Remove rule for the old CIDR (succeeds even when rule doesn't exist):

aws ec2 revoke-security-group-ingress --group-name MY_SECURITY_GROUP_NAME --protocol tcp --port 80 --cidr 0.0.0.0/32

3) Add rule for the new CIDR (fails when rule already exists):

aws ec2 authorize-security-group-ingress --group-name MY_SECURITY_GROUP_NAME --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 8080, "ToPort": 8080, "IpRanges": [{"CidrIp": "1.1.1.1/32", "Description": "MY_RULE_DESCRIPTION"}]}]'