Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/amazon-web-services/14.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Amazon web services 如何在CloudInformation中正确外部化SecurityGroupExgress和SecurityGroupIngress_Amazon Web Services_Amazon Cloudformation_Aws Security Group - Fatal编程技术网
Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 如何在CloudInformation中正确外部化SecurityGroupExgress和SecurityGroupIngress

Amazon web services 如何在CloudInformation中正确外部化SecurityGroupExgress和SecurityGroupIngress

amazon-web-services amazon-cloudformation

Amazon web services 如何在CloudInformation中正确外部化SecurityGroupExgress和SecurityGroupIngress,amazon-web-services,amazon-cloudformation,aws-security-group,Amazon Web Services,Amazon Cloudformation,Aws Security Group,使用下面的CloudFormation模板,我能够通过SSH连接到EC2实例中 PublicSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: PublicSecurityGroup GroupDescription: Public Security Group VpcId: Ref: Vpc Security

使用下面的CloudFormation模板,我能够通过SSH连接到EC2实例中

PublicSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupName: PublicSecurityGroup
        GroupDescription: Public Security Group
        VpcId:
            Ref: Vpc
        SecurityGroupEgress:
            - IpProtocol: "-1"
                FromPort: 0
                ToPort: 65535
                CidrIp: 0.0.0.0/0
        SecurityGroupIngress:
            - IpProtocol: tcp
                FromPort: 22
                ToPort: 22
                CidrIp: 0.0.0.0/0
PublicEc2Instance:
    Type: AWS::EC2::Instance
    Properties:
        ImageId:
            Ref: ImageId
        InstanceType:
            Ref: InstanceType
        KeyName:
            Ref: KeyName
        SecurityGroupIds:
            - Fn::GetAtt:
                    - PublicSecurityGroup
                    - GroupId
        SubnetId:
            Ref: PublicSubnet
        Tags:
            - Key: Name
                Value: PublicEc2Instance
当我将
SecurityGroup
定义更改为以下结构时

PublicSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupName: PublicSecurityGroup
        GroupDescription: Public Security Group
        VpcId:
            Ref: Vpc
PublicOutboundRule1:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        SourceSecurityGroupId: !Ref PublicSecurityGroup
        IpProtocol: "-1"
        FromPort: 0
        ToPort: 65535
PublicInboundRule1:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        SourceSecurityGroupId: !Ref PublicSecurityGroup
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22
我再也不能在EC2实例中使用SSH了

为什么
securitygroupexit
securitygroupingres
的外部化会阻止SSH访问EC2

谢谢大家!

您将入口规则中的流量限制在以下行中的
PublicSecurityGroup
SourceSecurityGroupId:!参考PublicSecurityGroup
指定在上面的yaml代码段中使用的CIDR块,而不是
SourceSecurityGroupId

PublicSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupName: PublicSecurityGroup
        GroupDescription: Public Security Group
        VpcId:
            Ref: Vpc
PublicOutboundRule1:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        IpProtocol: "-1"
        FromPort: 0
        ToPort: 65535
        CidrIp: 0.0.0.0/0

PublicInboundRule1:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: 0.0.0.0/0
注意,我也从您的出口规则中删除了
SourceSecurityGroupId
,因为出口规则不需要源,它们需要目的地(其他sg、CIDR块),因为它们是出口:)

您没有在AWS::EC2::SecurityGroup和AWS::EC2::SecurityGroupIngress/AWS::EC2::SecurityGroupExgress之间建立正确的关系

在您的第一个描述中,您允许从任何位置访问22端口: 
securitygroupingres:
-IpProtocol:tcp
发信人:22
托波特:22
CidrIp:0.0.0.0/0

但在第二个定义中,您定义的端口22访问权限仅来自同一个安全组,因为参数SourceSecurityGroupId指定允许访问的Amazon EC2安全组的ID,并且您希望从0.0.0.0/授予访问权限,这是不同的:

SourceSecurityGroupId:!Ref公共安全集团
IpProtocol:tcp
发信人:22
ToPort:22

您需要删除SourceSecurityGroupId参数

Hi-Vladyslav!非常感谢您的精确和非常有用的解释。它就像一个符咒!嗨,康德!你是对的!我不应该使用SourceSecurityGroupId,而应该使用CidrIp。非常感谢你!