Created
August 30, 2016 21:45
-
-
Save andrewalexander/64c4f4aa2b4194b1049e3f29e0d901e6 to your computer and use it in GitHub Desktop.
Shows the inconsistency between ingress and egress authorizations on security groups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| from botocore.exceptions import ClientError | |
| client = boto3.client('ec2') | |
| # Create VPC for testing | |
| vpc_id = client.create_vpc(CidrBlock="10.42.0.0/16")['Vpc']['VpcId'] | |
| # Create SG | |
| sg_id = client.create_security_group( | |
| GroupName="egress-test", | |
| VpcId=vpc_id, | |
| Description="Demonstrating the inconsistencies of ec2 authorize_security_group_X calls" | |
| )['GroupId'] | |
| # Add ingress | |
| resp = client.authorize_security_group_ingress( | |
| GroupId=sg_id, | |
| IpProtocol='tcp', | |
| FromPort=443, | |
| ToPort=443, | |
| CidrIp='10.42.0.0/16' | |
| ) | |
| print('Successful ingress: {}'.format(resp)) | |
| # Add egress the same way | |
| try: | |
| client.authorize_security_group_egress( | |
| GroupId=sg_id, | |
| IpProtocol='tcp', | |
| FromPort=443, | |
| ToPort=443, | |
| CidrIp='10.42.0.0/16' | |
| ) | |
| except ClientError as e: | |
| print('Unsuccessful Egress: {}'.format(e)) | |
| # Add egress the way that works | |
| resp = client.authorize_security_group_egress( | |
| GroupId=sg_id, | |
| IpPermissions = [{ | |
| 'IpProtocol': 'tcp', | |
| 'FromPort': 443, | |
| 'ToPort': 443, | |
| 'IpRanges':[{ | |
| 'CidrIp': '10.42.0.0/16' | |
| }] | |
| }] | |
| ) | |
| print('Successful Egress: {}'.format(resp)) | |
| # Clean Up | |
| client.delete_security_group(GroupId=sg_id) | |
| client.delete_vpc(VpcId=vpc_id) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment