dertin/ec2-security-groups.sh

## ec2-security-groups.sh
#!/bin/bash

# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq


# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"

# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')

for p in $pairs
do
  SG=$(echo "$p" | jq -r '.sg')
  OLD_CIDR=$(echo "$p" | jq -r '.cidr')

  echo "Updating security group ${SG}"
  if [[ $OLD_CIDR != 'null' ]]
  then
    echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
    # remove the existing ingress permission
    aws ec2 revoke-security-group-ingress \
        --group-id "${SG}" \
        --protocol tcp \
        --port 22 \
        --cidr "${OLD_CIDR}"
  fi

  # authorize my new IP CIDR
  NEW_CIDR="${MY_IP}"/32
  echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
  aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done
	#!/bin/bash

	# This script makes it easier to maintain security groups that allow SSH access
	# from a computer with a dynamic IP, such as a computer on a home network or ISP.
	#
	# Using the script will allow you to SSH to an EC2 without having to allow
	# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
	# changes then the security groups in your account specified by your AWS profile
	# will be updated.
	#
	# The script will find any security groups for your current profile that are
	# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
	# of "true" or "yes".
	#
	# For each security group found it will revoke any existing tcp ingress on
	# port 22 and authorize ingress on port 22 for your current IP.
	#
	# Dependencies - AWS CLI and jq


	# need my current ip
	MY_IP=$(curl --silent https://checkip.amazonaws.com)
	echo "Your IP is ${MY_IP}"

	# need security group id(s) and existing CIDR for the SG
	pairs=$(aws ec2 describe-security-groups \| aws ec2 describe-security-groups \| jq -c '.SecurityGroups[]? \| select( (.Tags[]? \| select(.Key == "ssh-from-my-ip") \| .Value \| test("true\|yes"; "i"))) \| if .IpPermissions \| length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')

	for p in $pairs
	do
	SG=$(echo "$p" \| jq -r '.sg')
	OLD_CIDR=$(echo "$p" \| jq -r '.cidr')

	echo "Updating security group ${SG}"
	if [[ $OLD_CIDR != 'null' ]]
	then
	echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
	# remove the existing ingress permission
	aws ec2 revoke-security-group-ingress \
	--group-id "${SG}" \
	--protocol tcp \
	--port 22 \
	--cidr "${OLD_CIDR}"
	fi

	# authorize my new IP CIDR
	NEW_CIDR="${MY_IP}"/32
	echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
	aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
	done