Skip to content

Instantly share code, notes, and snippets.

@andrewalexander
Created August 30, 2016 21:45
Show Gist options
  • Save andrewalexander/64c4f4aa2b4194b1049e3f29e0d901e6 to your computer and use it in GitHub Desktop.
Save andrewalexander/64c4f4aa2b4194b1049e3f29e0d901e6 to your computer and use it in GitHub Desktop.
Shows the inconsistency between ingress and egress authorizations on security groups
import boto3
from botocore.exceptions import ClientError
client = boto3.client('ec2')
# Create VPC for testing
vpc_id = client.create_vpc(CidrBlock="10.42.0.0/16")['Vpc']['VpcId']
# Create SG
sg_id = client.create_security_group(
GroupName="egress-test",
VpcId=vpc_id,
Description="Demonstrating the inconsistencies of ec2 authorize_security_group_X calls"
)['GroupId']
# Add ingress
resp = client.authorize_security_group_ingress(
GroupId=sg_id,
IpProtocol='tcp',
FromPort=443,
ToPort=443,
CidrIp='10.42.0.0/16'
)
print('Successful ingress: {}'.format(resp))
# Add egress the same way
try:
client.authorize_security_group_egress(
GroupId=sg_id,
IpProtocol='tcp',
FromPort=443,
ToPort=443,
CidrIp='10.42.0.0/16'
)
except ClientError as e:
print('Unsuccessful Egress: {}'.format(e))
# Add egress the way that works
resp = client.authorize_security_group_egress(
GroupId=sg_id,
IpPermissions = [{
'IpProtocol': 'tcp',
'FromPort': 443,
'ToPort': 443,
'IpRanges':[{
'CidrIp': '10.42.0.0/16'
}]
}]
)
print('Successful Egress: {}'.format(resp))
# Clean Up
client.delete_security_group(GroupId=sg_id)
client.delete_vpc(VpcId=vpc_id)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment