Skip to content

Instantly share code, notes, and snippets.

@BeardedCloudWalker
Created October 3, 2019 00:07
Show Gist options
  • Save BeardedCloudWalker/03823fc01aee65799dd9a58cdcdd1135 to your computer and use it in GitHub Desktop.
Save BeardedCloudWalker/03823fc01aee65799dd9a58cdcdd1135 to your computer and use it in GitHub Desktop.
Pull Spreadsheet of Security group Rules and associated Instances
#!/bin/bash
export AWS_PROFILE=$1
export AWS_DEFAULT_REGION=$2
export AWS_DEFAULT_OUTPUT=text
echo " It Starts..."
echo " Evaluating Security Groups Ingress Rules"
SecurityGroupIds=$(aws ec2 describe-security-groups --query 'SecurityGroups[*].[GroupId]')
for SecurityGroupId in $SecurityGroupIds; do
echo "SecurityGroupId " $SecurityGroupId
portcount=0
FromPorts=$(aws ec2 describe-security-groups --query 'SecurityGroups[*].[IpPermissions[*].FromPort]' --filter "Name=group-id,Values=$SecurityGroupId")
for FromPort in $FromPorts; do
cidrcount=0
IpRanges=$(aws ec2 describe-security-groups --query "SecurityGroups[*].[IpPermissions[$portcount].IpRanges[*].CidrIp]" --filter "Name=group-id,Values=$SecurityGroupId")
for IpRange in $IpRanges; do
echo $IpRange
aws ec2 describe-security-groups --query "SecurityGroups[*].[GroupId, VpcId, IpPermissions[$portcount].FromPort, IpPermissions[$portcount].IpRanges[$cidrcount].IpProtocol, IpPermissions[$portcount].IpRanges[$cidrcount].CidrIp ]" --filter "Name=group-id,Values=$SecurityGroupId" >> ./SecurityGroup-Ingress-Rules.tsv
cidrcount=`expr $cidrcount + 1`
done
portcount=`expr $portcount + 1`
done
done
echo " Evaluating Security Group Egress Rules"
for SecurityGroupId in $SecurityGroupIds; do
echo "SecurityGroupId " $SecurityGroupId
portcount=0
FromPorts=$(aws ec2 describe-security-groups --query 'SecurityGroups[*].[EgressIpPermissions[*].FromPort]' --filter "Name=group-id,Values=$SecurityGroupId")
for FromPort in $FromPorts; do
cidrcount=0
IpRanges=$(aws ec2 describe-security-groups --query "SecurityGroups[*].[EgressIpPermissions[$portcount].IpRanges[*].CidrIp]" --filter "Name=group-id,Values=$SecurityGroupId")
for IpRange in $IpRanges; do
aws ec2 describe-security-groups --query "SecurityGroups[*].[GroupId, VpcId, EgressIpPermissions[$portcount].FromPort, EgressIpPermissions[$portcount].IpRanges[$cidrcount].IpProtocol, EgressIpPermissions[$portcount].IpRanges[$cidrcount].CidrIp ]" --filter "Name=group-id,Values=$SecurityGroupId" >> ./SecurityGroup-Egress-Rules.tsv
cidrcount=`expr $cidrcount + 1`
done
portcount=`expr $portcount + 1`
done
done
echo " Evaluating Instance Security Group Associations "
EC2Instances=$(aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId]')
for EC2Instance in $EC2Instances; do
echo "EC2Instance " $EC2Instance
sgcount=0
SecurityGroups=$(aws ec2 describe-instances --query "Reservations[*].Instances[*].[SecurityGroups[*].GroupId]" --filter "Name=instance-id,Values=$EC2Instance")
for SecurityGroup in $SecurityGroups; do
aws ec2 describe-instances --query "Reservations[*].Instances[*].[InstanceId, Placement.AvailabilityZone, SecurityGroups[$sgcount].GroupId]" --filter "Name=instance-id,Values=$EC2Instance" >> ./Instance-SG-Map.tsv
sgcount=`expr $sgcount + 1`
done
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment