Amazon web services 如何在CloudInformation中正确外部化SecurityGroupExgress和SecurityGroupIngress
使用下面的CloudFormation模板,我能够通过SSH连接到EC2实例中Amazon web services 如何在CloudInformation中正确外部化SecurityGroupExgress和SecurityGroupIngress,amazon-web-services,amazon-cloudformation,aws-security-group,Amazon Web Services,Amazon Cloudformation,Aws Security Group,使用下面的CloudFormation模板,我能够通过SSH连接到EC2实例中 PublicSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: PublicSecurityGroup GroupDescription: Public Security Group VpcId: Ref: Vpc Security
PublicSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: PublicSecurityGroup
GroupDescription: Public Security Group
VpcId:
Ref: Vpc
SecurityGroupEgress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
PublicEc2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Ref: ImageId
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroupIds:
- Fn::GetAtt:
- PublicSecurityGroup
- GroupId
SubnetId:
Ref: PublicSubnet
Tags:
- Key: Name
Value: PublicEc2Instance
当我将SecurityGroup
定义更改为以下结构时
PublicSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: PublicSecurityGroup
GroupDescription: Public Security Group
VpcId:
Ref: Vpc
PublicOutboundRule1:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref PublicSecurityGroup
SourceSecurityGroupId: !Ref PublicSecurityGroup
IpProtocol: "-1"
FromPort: 0
ToPort: 65535
PublicInboundRule1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref PublicSecurityGroup
SourceSecurityGroupId: !Ref PublicSecurityGroup
IpProtocol: tcp
FromPort: 22
ToPort: 22
我再也不能在EC2实例中使用SSH了
为什么securitygroupexit
和securitygroupingres
的外部化会阻止SSH访问EC2
谢谢大家! 您将入口规则中的流量限制在以下行中的
PublicSecurityGroup
:
SourceSecurityGroupId:!参考PublicSecurityGroup
指定在上面的yaml代码段中使用的CIDR块,而不是SourceSecurityGroupId
:
PublicSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: PublicSecurityGroup
GroupDescription: Public Security Group
VpcId:
Ref: Vpc
PublicOutboundRule1:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref PublicSecurityGroup
IpProtocol: "-1"
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
PublicInboundRule1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref PublicSecurityGroup
IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
注意,我也从您的出口规则中删除了
SourceSecurityGroupId
,因为出口规则不需要源,它们需要目的地(其他sg、CIDR块),因为它们是出口:) 您没有在AWS::EC2::SecurityGroup和AWS::EC2::SecurityGroupIngress/AWS::EC2::SecurityGroupExgress之间建立正确的关系
在您的第一个描述中,您允许从任何位置访问22端口:
securitygroupingres:
-IpProtocol:tcp
发信人:22
托波特:22
CidrIp:0.0.0.0/0
但在第二个定义中,您定义的端口22访问权限仅来自同一个安全组,因为参数SourceSecurityGroupId指定允许访问的Amazon EC2安全组的ID,并且您希望从0.0.0.0/授予访问权限,这是不同的:
SourceSecurityGroupId:!Ref公共安全集团
IpProtocol:tcp
发信人:22
ToPort:22
您需要删除SourceSecurityGroupId参数Hi-Vladyslav!非常感谢您的精确和非常有用的解释。它就像一个符咒!嗨,康德!你是对的!我不应该使用SourceSecurityGroupId,而应该使用CidrIp。非常感谢你!