Script to manage your AWS Security Groups

Having a dynamic public IP can be really annoying when it comes to accessing the services in AWS, guarded by security groups (assuming you are a small shop and don’t have the VPN or AWS DirectConnect infra setup yet or maybe it is your personal AWS account.)

Anyway, it’s a bit tiring to open the browser, load AWS console , click on the security groups, edit it and then save it back. All this, so that you can ssh into your EC2 instance, for example. The worst is when AWS console has signed you out (due to inactivity) and then you have to wait for a very very long time on the sign-in to complete. Happens with me quite often during signing in these days.

A bit painful, isn’t it? So I thought of implementing a small bash script for the same. It is pretty simple and can add, update and revoke a rule to access a TCP port (or a range of TCP ports) from your (dynamic) IP.

Here’s the script — help:

./aws-sg-ip-rule.sh -h
Add rule: ./aws-sg-ip-rule.sh a -n <rule_name> -s <security_group_id> -f <start_inbound_tcp_port> -t <end_inbound_tcp_port>
 
Update rule (only IP): ./aws-sg-ip-rule.sh u -n <rule_name>
Revoke rule: ./aws-sg-ip-rule.sh r -n <rule_name>

The help is pretty self-explanatory (I hope ;) ). Let’s take some examples:

./aws-sg-ip-rule.sh a -n allow-xyz-to-ssh -s sg-1234abcd -f 22 -t 22

When you run the above command, it will find your (current) public IP and allow you the access on port 22 in security group sg-1234abcd.

Similarly, for a range of ports:

./aws-sg-ip-rule.sh a -n allow-xyz-to-ssh -s sg-1234abcd -f 3300 -t 3310

The above commands also create a rulefile with same name as the rule(rule_name). So in this case, the created file will be allow-xyz-to-ssh. If you want to store it at some other path, rule_name in that case will be (for eg.) rules/allow-xyz-to-ssh.

Let’s see the next command:

./aws-sg-ip-rule.sh r -n allow-xyz-to-ssh

This command revokes the rule , i.e it removes the access on the port(s) by reading the rule details from the rulefile allow-xyz-to-ssh.

Now let’s update an existing rule:

./aws-sg-ip-rule.sh u -n allow-xyz-to-ssh

This command updates the existing rule with your new IP by reading the rulefile allow-xyz-to-ssh and then updates the rulefile as well . Note that it only updates the public IP, nothing else. So this is handy when your public IP has changed.

If you want to add back a revoked rule, just provide the rulefile. No other details are required as long as the rulefile exists. The command in that case would be:

./aws-sg-ip-rule.sh a -n allow-xyz-to-ssh

That’s all to it :)

But why only TCP? Yes, Basically that’s what I’m dealing with right now and also for start, I wanted to keep the input parameters at a minimum. But feel free to extend the script.

The script can be found at:

https://github.com/cotigao/aws-sg-ip-rule

Hope you guys find this useful. Thanks!