Add CloudFlare IP addresses to an EC2 Security Group using awscli

add_cloudflare_ips.sh

# first we download the list of IP ranges from CloudFlare
wget https://www.cloudflare.com/ips-v4

# set the security group ID
SG_ID="sg-00000000000000"

# iterate over the IP ranges in the downloaded file
# and allow access to ports 80 and 443
while read p
do
    aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges="[{CidrIp=$p,Description='Cloudflare'}]"
    aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges="[{CidrIp=$p,Description='Cloudflare'}]"
done< ips-v4

rm ips-v4

Thank you for the above script @Kcrong however it seems that the while loop is not reading the last ip address in that list so following this stackoverflow suggestion = https://stackoverflow.com/a/12916758 , ive used the for loop and added both port 80,443[for the cloudflare IPs] and also 22 but only for my IP

#! /bin/bash
SG_ID="";
# Delete all existing rules
aws ec2 revoke-security-group-ingress --group-id $SG_ID \
		  --ip-permissions \
		    "`aws ec2 describe-security-groups --output json --group-ids $SG_ID --query "SecurityGroups[0].IpPermissions"`"

# Adding ipv4
for p in $(< <(curl --fail --silent https://www.cloudflare.com/ips-v4));
do
			aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges="[{CidrIp=$p,Description='Cloudflare - updated by instance'}]"
			aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges="[{CidrIp=$p,Description='Cloudflare - updated by instance'}]"
				echo "$p has been added"
		done;
		echo "IPv4 completed"

# Get my IP
my_ip=$(curl --fail --silent ifconfig.me);
echo "starting to add your IP for SSH";
aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges="[{CidrIp=$my_ip/32,Description='Cloudflare - updated by instance'}]";
echo "your IP added for SSH";

Not sure if this is still being watched by anyone, but I found it extremely helpful and figured I'd update the chain with what I consider the final script for both ipv4 and ipv6:

#!/bin/bash
SG_ID="sg-00000000000000000"
aws ec2 revoke-security-group-ingress --group-id $SG_ID --ip-permissions "`aws ec2 describe-security-groups --output json --group-ids $SG_ID --query "SecurityGroups[0].IpPermissions"`"

# Adding ipv4
for p in $(curl --fail --silent https://www.cloudflare.com/ips-v4);
do
	aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges="[{CidrIp=$p,Description='Cloudflare IPv4 - updated by instance'}]"
	aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges="[{CidrIp=$p,Description='Cloudflare IPv4 - updated by instance'}]"
	echo "$p has been added"
done
echo "IPv4 completed"

# Adding ipv6
for p in $(curl --fail --silent https://www.cloudflare.com/ips-v6);
do
	aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,Ipv6Ranges="[{CidrIpv6=$p,Description='Cloudflare IPv6 - updated by instance'}]"
	aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions IpProtocol=tcp,FromPort=443,ToPort=443,Ipv6Ranges="[{CidrIpv6=$p,Description='Cloudflare IPv6 - updated by instance'}]"
	echo "$p has been added"
done
echo "IPv6 completed"

The only thing I'm having trouble with is capturing "my IP", since I'm running this via cloudshell. Oh well, doesn't hurt to still manually do that once in awhile.

thanks 🙏