tkisason/aws-lambda-add-ip2-secgroup-ctf.py

## aws-lambda-add-ip2-secgroup-ctf.py
import json
import boto3
from botocore.exceptions import ClientError
ec2 = boto3.client('ec2')
security_group_id = "sg-..." ## add your security group ID here!
#0. Find your security group name from your EC2 instance and copy/paste your security group id above ^^^

# Create a new lambda function, name it whatever, runtime: python 3.7
# Select the Execution role : Create new role with basic Lambda permissions
# Pick the "Enable Function URL" option from Advanced settings.
# Auth type for the function is : NONE (you want anyone with the URL to be able to whitelist their IP)

# Add the source code to the lamda function, press deploy.
# Open the lambda configuration, select permissions, click on execution role below the Role name (near the top of the form).
# Choose Permissions, Open permissions policies, click edit permissions, create inline policy
# Service: EC2, Actions: Search for SecurityGroup and select:
# CreateTags
# AuthorizeSecurityGroupIngress
# RevokeSecurityGroupIngress
# DescribeSecurityGroupRules
# DescribeSecurityGroups
# Click on Resources, Specify ARN, Specific and add ARN, add your region, account, security group ID. Do this for both groups of permissions. Review policy and save.
# Issuing a GET request to the Function URL should whitelist that CTFers IP's into the secgroup for EC2.
# Keep in mind you need to test the function live, since the requestContext won't be sent from the lambda console.


def lambda_handler(event, context):
    data = ""
    try:
        data = ec2.authorize_security_group_ingress(
            GroupId=security_group_id,
            IpPermissions=[
                {'IpProtocol': 'tcp',
                 'FromPort': 0,
                 'ToPort': 65535,
                 'IpRanges': [{'CidrIp': str(event['requestContext']['http']['sourceIp']+"/32")}]}
                 ])
    except ClientError as e:
        print(e)

    return {
        'statusCode': 200,
        'body': "hello " + event['requestContext']['http']['sourceIp'] + " have fun!"
    }


### For revocation
# If you want to have an URL for revoking and clearing all access to a secgroup, add the following code to a lambda
# Keep in mind to do everything as for the first lambda, just be sure to change the security_group_id.
# You can reuse the permissions policy if you want.


import json
import boto3
from botocore.exceptions import ClientError
ec2 = boto3.client('ec2')
security_group_id = "sg-..."  ## add your security group ID here!
#0. Copy/paste your security group id here ^^^


def lambda_handler(event, context):
    data = ec2.describe_security_groups(GroupIds=[security_group_id])
    for rule in data['SecurityGroups']:
        for i in rule['IpPermissions']:
            for j in i['IpRanges']:
                response = ec2.revoke_security_group_ingress(CidrIp=j['CidrIp'],GroupId=security_group_id, IpProtocol='tcp', FromPort=0, ToPort=65535)

    return {
        'statusCode': 200,
        'body': "Access revoked for everyone!"
    }
	import json
	import boto3
	from botocore.exceptions import ClientError
	ec2 = boto3.client('ec2')
	security_group_id = "sg-..." ## add your security group ID here!
	#0. Find your security group name from your EC2 instance and copy/paste your security group id above ^^^

	# Create a new lambda function, name it whatever, runtime: python 3.7
	# Select the Execution role : Create new role with basic Lambda permissions
	# Pick the "Enable Function URL" option from Advanced settings.
	# Auth type for the function is : NONE (you want anyone with the URL to be able to whitelist their IP)

	# Add the source code to the lamda function, press deploy.
	# Open the lambda configuration, select permissions, click on execution role below the Role name (near the top of the form).
	# Choose Permissions, Open permissions policies, click edit permissions, create inline policy
	# Service: EC2, Actions: Search for SecurityGroup and select:
	# CreateTags
	# AuthorizeSecurityGroupIngress
	# RevokeSecurityGroupIngress
	# DescribeSecurityGroupRules
	# DescribeSecurityGroups
	# Click on Resources, Specify ARN, Specific and add ARN, add your region, account, security group ID. Do this for both groups of permissions. Review policy and save.
	# Issuing a GET request to the Function URL should whitelist that CTFers IP's into the secgroup for EC2.
	# Keep in mind you need to test the function live, since the requestContext won't be sent from the lambda console.


	def lambda_handler(event, context):
	data = ""
	try:
	data = ec2.authorize_security_group_ingress(
	GroupId=security_group_id,
	IpPermissions=[
	{'IpProtocol': 'tcp',
	'FromPort': 0,
	'ToPort': 65535,
	'IpRanges': [{'CidrIp': str(event['requestContext']['http']['sourceIp']+"/32")}]}
	])
	except ClientError as e:
	print(e)

	return {
	'statusCode': 200,
	'body': "hello " + event['requestContext']['http']['sourceIp'] + " have fun!"
	}



	### For revocation
	# If you want to have an URL for revoking and clearing all access to a secgroup, add the following code to a lambda
	# Keep in mind to do everything as for the first lambda, just be sure to change the security_group_id.
	# You can reuse the permissions policy if you want.


	import json
	import boto3
	from botocore.exceptions import ClientError
	ec2 = boto3.client('ec2')
	security_group_id = "sg-..." ## add your security group ID here!
	#0. Copy/paste your security group id here ^^^


	def lambda_handler(event, context):
	data = ec2.describe_security_groups(GroupIds=[security_group_id])
	for rule in data['SecurityGroups']:
	for i in rule['IpPermissions']:
	for j in i['IpRanges']:
	response = ec2.revoke_security_group_ingress(CidrIp=j['CidrIp'],GroupId=security_group_id, IpProtocol='tcp', FromPort=0, ToPort=65535)

	return {
	'statusCode': 200,
	'body': "Access revoked for everyone!"
	}