Keeping an eye on your Amazon EC2 firewall rules
Amazon AWS makes it really easy for anybody to create and update firewall rules that provide access to the virtual machines inside AWS. Within seconds you can add your own IP address so you can work from home or the office. However, it is also very easy to forget to remove them once your are finished. The utility aws-sg-revoker , will help you maintain your firewall rules.
aws-sg-revoker inspects all your inbound access permission and compares them with the public IP addresses of the machines in your AWS account. For grants to IP addresses not found in your account, it will generate a aws CLI revoke command. But do not be afraid: it only generates, it does not execute it directly. You may want to investigate before removal. Follow the following 4 steps to safeguard your account!
step 1. Investigate
First run the following command to generate a list of all the IP address ranges that are referenced but not in your account.
aws-sg-revoker -l 18.104.22.168 x.y.z. 22.214.171.124. hostname.com. 126.96.36.199 a.b.c. 188.8.131.52/16 ....
You may find that you have to install jq and the aws CLI 🙂
step 2. Exclude known addresses
Exclude the ip addresses that are ok. These addresses are added as regular expressions.
aws-sg-revoker -l -w 1\.2\.\3\.4 -w 8\.9\.10\.11/16
step 3. generate revoke commands
Once you are happy, you can generate the revoke commands:
aws-sg-revoker -w 1\.2\.\3\.4 -w 4\.5\.6\.7 -w 8\.9\.10\.11/16 aws ec2 revoke-security-group-ingress --group-id sg-aaaaaaaa --port 22-22 --protocol tcp --cidr 184.108.40.206/32 # revoke from sg blablbsdf aws ec2 revoke-security-group-ingress --group-id sg-aaaaaaaa --port 9200-9200 --protocol tcp --cidr 220.127.116.11/32 # revoke from sg blablbsdf aws ec2 revoke-security-group-ingress --group-id sg-aaaaaaaa --port 9080-9080 --protocol tcp --cidr 18.104.22.168/32 # revoke from sg blablbsdf aws ec2 revoke-security-group-ingress --group-id sg-bbbbbbbb --protocol -1 --cidr 22.214.171.124/32 # revoke from sg sg-1 aws ec2 revoke-security-group-ingress --group-id sg-bbbbbbbb --protocol -1 -cidr 126.96.36.199/32 # revoke from sg sg-3
step 4. Execute!
If the revokes look ok, you can execute them by piping them to a shell:
aws-sg-revoker -w 1\.2\.\3\.4 -w 8\.9\.10\.11/16 | tee revoked.log | bash
This utility makes it easy to for you to regularly inspect and maintain your firewall rules and keep your AWS resources safe!