Last active
March 4, 2022 18:53
-
-
Save markjschreiber/0ec30517bd1d6be8fae25c4fb25958fd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
# This script makes it easier to maintain security groups that allow SSH access | |
# from a computer with a dynamic IP, such as a computer on a home network or ISP. | |
# | |
# Using the script will allow you to SSH to an EC2 without having to allow | |
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP | |
# changes then the security groups in your account specified by your AWS profile | |
# will be updated. | |
# | |
# The script will find any security groups for your current profile that are | |
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value | |
# of "true" or "yes". | |
# | |
# For each security group found it will revoke any existing tcp ingress on | |
# port 22 and authorize ingress on port 22 for your current IP. | |
# | |
# Dependencies - AWS CLI and jq | |
# need my current ip | |
MY_IP=$(curl --silent https://checkip.amazonaws.com) | |
echo "Your IP is ${MY_IP}" | |
# need security group id(s) and existing CIDR for the SG | |
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end') | |
for p in $pairs | |
do | |
SG=$(echo "$p" | jq -r '.sg') | |
OLD_CIDR=$(echo "$p" | jq -r '.cidr') | |
echo "Updating security group ${SG}" | |
if [[ $OLD_CIDR != 'null' ]] | |
then | |
echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}" | |
# remove the existing ingress permission | |
aws ec2 revoke-security-group-ingress \ | |
--group-id "${SG}" \ | |
--protocol tcp \ | |
--port 22 \ | |
--cidr "${OLD_CIDR}" | |
fi | |
# authorize my new IP CIDR | |
NEW_CIDR="${MY_IP}"/32 | |
echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}" | |
aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]' | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment