Amazon web services 如何临时打开和关闭AWS安全组上特定IP的端口？_Amazon Web Services_Aws Cli_Aws Security Group

Amazon web services 如何临时打开和关闭AWS安全组上特定IP的端口？

amazon-web-services

Amazon web services 如何临时打开和关闭AWS安全组上特定IP的端口？,amazon-web-services,aws-cli,aws-security-group,Amazon Web Services,Aws Cli,Aws Security Group,我想使用awscli工具在备份过程开始前临时打开某个IP地址的端口，并在备份过程完成后关闭该端口我知道如何通过控制台执行此操作，但找不到如何以编程方式执行此操作有人知道我可以运行什么命令来实现这一点吗我想写一个shell脚本来实现这一点，并在备份之前启动它，所以我找到了一个循环CI-Orb，它的功能完全相同。但是，当我尝试使用shell脚本启动它时，会出现错误。我对shell命令不太在行，所以也许有人能告诉我下面可以解决什么问题 AWS的权限设置正确，所以我想我只需要调整下面脚本中的一些内

我想使用awscli工具在备份过程开始前临时打开某个IP地址的端口，并在备份过程完成后关闭该端口

我知道如何通过控制台执行此操作，但找不到如何以编程方式执行此操作

有人知道我可以运行什么命令来实现这一点吗

我想写一个shell脚本来实现这一点，并在备份之前启动它，所以我找到了一个循环CI-Orb，它的功能完全相同。但是，当我尝试使用shell脚本启动它时，会出现错误。我对shell命令不太在行，所以也许有人能告诉我下面可以解决什么问题

AWS的权限设置正确，所以我想我只需要调整下面脚本中的一些内容

# Get the current IP of the AWS instance the script is launched from

LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)

IP="${IP-$LATEST_IP}"

if [[ "${IP}" == "" ]]; then
    echo "Could not find your public IP"
    exit 1
fi

# Get the security group ID

GROUPID=$(aws ec2 describe-security-groups --query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' --output table | grep << parameters.tag-value >> | awk '{print $4}') [[ -n "${GROUPID}" ]] || (echo "Could not determine Security Group ID" && exit 0);
                                            
# Adding Rule SSH to Your Security Group

echo Allowing << parameters.description >> to access port $PORT from IP
$IP to the security group $GROUPID

aws ec2 authorize-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp": "'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]' 

# Closing the port
echo "Removing << parameters.description >> access from IP $IP to the security group $GROUPID"


# Delete IP rules matching port

aws ec2 revoke-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp":"'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]'

#获取启动脚本的AWS实例的当前IP
最新的IP=$（wget-qO-http://checkip.amazonaws.com)
IP=“${IP-$LATEST_IP}”
如果[[“${IP}”==”]；然后
echo“找不到您的公共IP”
出口1
fi
#获取安全组ID
GROUPID=$（aws ec2描述安全组--查询'SecurityGroups[].[Tags[？Key==`>`]|[0].Value，GROUPID]'--输出表| grep>| awk'{print$4}'）[[-n“${GROUPID}”]| |（echo“无法确定安全组ID”&退出0）；
#将规则SSH添加到安全组
echo允许>从IP访问端口$port
$IP到安全组$GROUPID
aws ec2授权安全组入口--组id$GROUPID--ip权限“[{“IpProtocol”：“>”，“ToPort”：“>”，“IpRanges”：[{“CidrIp”：“$LATEST_ip/>”，“Description”：“>”，“}]}]”
#关闭港口
echo“删除>从IP$IP访问安全组$GROUPID”
#删除与端口匹配的IP规则
aws ec2撤销安全组入口--组id$GROUPID--ip权限“[{“IpProtocol”：“>”，“ToPort”：“>”，“IpRanges”：[{“CidrIp”：“$LATEST_ip/>”，“Description”：“>”，“}]}]”

I修改了脚本，使其工作。但我认为它在目前的形式下没有多大用处。它只是将一条规则添加到SG中，然后立即将其删除
我仅使用SG ID值替换了
GROUPID=$（aws ec2 des…
）

#!/bin/bash # Get the current IP of the AWS instance the script is launched from set -ex LATEST_IP=$(wget -qO- http://checkip.amazonaws.com) IP="${IP-$LATEST_IP}" if [[ "${IP}" == "" ]]; then echo "Could not find your public IP" exit 1 fi echo ${IP} # Get the security group ID GROUPID="sg-0483809ca6b8e91d0" # change to your own SG PORT_FROM=80 PORT_TO=80 MASK_IP="32" DESCRIPTION="Some-description" AWS_PROFILE="default" # AWS credentials profile to use # Adding Rule SSH to Your Security Group echo Allowing ${GROUPID} to access port $PORT from IP ${IP} to the security group $GROUPID aws ec2 authorize-security-group-ingress \ --group-id $GROUPID \ --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp": "'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \ --profile ${AWS_PROFILE} # Closing the port echo "Removing ${DESCRIPTION} access from IP $IP to the security group $GROUPID" # Delete IP rules matching port aws ec2 revoke-security-group-ingress \ --group-id $GROUPID \ --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp":"'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \ --profile ${AWS_PROFILE}
示例输出：

++ wget -qO- http://checkip.amazonaws.com + LATEST_IP=<real-ip-value> + IP=<real-ip-value> + [[ <real-ip-value> == '' ]] + echo <real-ip-value> <real-ip-value> + GROUPID=sg-0483809ca6b8e91d0 + PORT_FROM=80 + PORT_TO=80 + MASK_IP=32 + DESCRIPTION=Some-description + AWS_PROFILE=la + echo Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0 Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0 + aws ec2 authorize-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la + echo 'Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0' Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0 + aws ec2 revoke-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp":"<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la

++wget-qO-http://checkip.amazonaws.com +最新= +知识产权= + [[ == '' ]] +回音 +组ID=sg-0483809ca6b8e91d0 +端口_FROM=80 +端口至=80 +掩码IP=32 +描述=一些描述 +AWS_剖面=la +echo允许sg-0483809ca6b8e91d0访问从IP到安全组sg-0483809ca6b8e91d0的端口允许sg-0483809ca6b8e91d0访问从IP到安全组sg-0483809ca6b8e91d0的端口 +aws ec2授权安全组入口——组id sg-0483809ca6b8e91d0——ip权限“[{“IpProtocol”：“tcp”，“FromPort”：80，“ToPort”：80，“IpRanges”：[{“CidrIp”：“/32”，“Description”：“Some Description”}]}]——配置文件la +echo“从IP删除对安全组sg-0483809ca6b8e91d0的一些描述访问” 删除从IP访问安全组sg-0483809ca6b8e91d0的一些说明 +aws ec2撤销安全组入口——组id sg-0483809ca6b8e91d0——ip权限“[{“IpProtocol”：“tcp”，“FromPort”：80，“ToPort”：80，“IpRanges”：[{“CidrIp”：“/32”，“Description”：“Some Description”}]}]——配置文件la
I修改了脚本，使其工作。但我认为它在当前形式下没有多大用处。它只是向SG添加一条规则，然后立即将其删除
我仅使用SG ID值替换了
GROUPID=$（aws ec2 des…
）

#!/bin/bash # Get the current IP of the AWS instance the script is launched from set -ex LATEST_IP=$(wget -qO- http://checkip.amazonaws.com) IP="${IP-$LATEST_IP}" if [[ "${IP}" == "" ]]; then echo "Could not find your public IP" exit 1 fi echo ${IP} # Get the security group ID GROUPID="sg-0483809ca6b8e91d0" # change to your own SG PORT_FROM=80 PORT_TO=80 MASK_IP="32" DESCRIPTION="Some-description" AWS_PROFILE="default" # AWS credentials profile to use # Adding Rule SSH to Your Security Group echo Allowing ${GROUPID} to access port $PORT from IP ${IP} to the security group $GROUPID aws ec2 authorize-security-group-ingress \ --group-id $GROUPID \ --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp": "'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \ --profile ${AWS_PROFILE} # Closing the port echo "Removing ${DESCRIPTION} access from IP $IP to the security group $GROUPID" # Delete IP rules matching port aws ec2 revoke-security-group-ingress \ --group-id $GROUPID \ --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '${PORT_FROM}', "ToPort": '${PORT_TO}', "IpRanges": [{"CidrIp":"'$LATEST_IP/${MASK_IP}'", "Description": "'${DESCRIPTION}'"}]}]' \ --profile ${AWS_PROFILE}
示例输出：

++ wget -qO- http://checkip.amazonaws.com + LATEST_IP=<real-ip-value> + IP=<real-ip-value> + [[ <real-ip-value> == '' ]] + echo <real-ip-value> <real-ip-value> + GROUPID=sg-0483809ca6b8e91d0 + PORT_FROM=80 + PORT_TO=80 + MASK_IP=32 + DESCRIPTION=Some-description + AWS_PROFILE=la + echo Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0 Allowing sg-0483809ca6b8e91d0 to access port from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0 + aws ec2 authorize-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la + echo 'Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0' Removing Some-description access from IP <real-ip-value> to the security group sg-0483809ca6b8e91d0 + aws ec2 revoke-security-group-ingress --group-id sg-0483809ca6b8e91d0 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp":"<real-ip-value>/32", "Description": "Some-description"}]}]' --profile la

++wget-qO-http://checkip.amazonaws.com +最新= +知识产权= + [[ == '' ]] +回音 +组ID=sg-0483809ca6b8e91d0 +端口_FROM=80 +端口至=80 +掩码IP=32 +描述=一些描述 +AWS_剖面=la +echo允许sg-0483809ca6b8e91d0访问从IP到安全组sg-0483809ca6b8e91d0的端口允许sg-0483809ca6b8e91d0访问从IP到安全组sg-0483809ca6b8e91d0的端口 +aws ec2授权安全组入口——组id sg-0483809ca6b8e91d0——ip权限“[{“IpProtocol”：“tcp”，“FromPort”：80，“ToPort”：80，“IpRanges”：[{“CidrIp”：“/32”，“Description”：“Some Description”}]}]——配置文件la +echo“从IP删除对安全组sg-0483809ca6b8e91d0的一些描述访问” 删除从IP访问安全组sg-0483809ca6b8e91d0的一些说明 +aws ec2撤销安全组入口——组id sg-0483809ca6b8e91d0——ip权限“[{“IpProtocol”：“tcp”，“FromPort”：80，“ToPort”：80，“IpRanges”：[{“CidrIp”：“/32”，“Description”：“Some Description”}]}]——配置文件la
“我收到错误”-你能澄清到底是什么错误吗？它抛出了一个错误，说
无法识别，所以我认为这是关于语法的问题
参数是什么
？老实说，我不知道。也许这就是问题所在。我想我需要提供安全组的名称以及需要打开和关闭的端口，对吧？“我会出错”-你能澄清到底是什么错误吗？它抛出了一个错误，说
无法识别，所以我认为这是关于语法的问题
参数是什么
？老实说，我不知道。也许这就是问题所在。我想我需要提供安全组的名称以及需要打开和关闭的端口，对吗？谢谢，@Marcin我会尝试一下-但是为什么你认为这没有用？临时打开然后关闭端口不是很好吗？你建议另一种解决方案吗？当然，在打开和关闭之间，我会执行某些操作（备份），我从这个脚本中排除了它。@Aerodynamika您好。脚本只是打开它，然后立即关闭它。因此端口最多会打开几秒钟。最好将它分成两个脚本，一个打开，另一个打开