Amazon EC2 CLI and API: Tips, Tricks and Scripts

ec2-cli-cleanup-group.sh

#!/bin/bash                                                                                                                                                                             
set -e

###########
# AWS CLI Must be installed e.g using sudo apt install awscli.

# This script cleans up your security group to remove old IP addresses from the rules for SSH, and 
# adds your current IP address. 
# This scenario is especially for cases where your ISP only allows dynamic IP addresses, or you 
# access AWS from multiple locations. 

# - Uses AWS CLI - http://docs.aws.amazon.com/cli/ - to fetch the required security group's allowed IP Addresses. 
# - Checks whether your current public IP address is allowed in that list. 
# -- If not, adds a rule allowing SSH from your current public IP.
# - Removes all IP addresses that do not match your current public IP.

###########

#check if aws cli exists, bail otherwise
command -v aws >/dev/null 2>&1 || { echo "I require AWS CLI but it's not installed (e.g using apt-get install awscli).  Aborting." >&2; exit 1; }

PORTS="22 80 8080 8081 5601"

usage() {
    echo "
---
This script updates rules for specific ports from an AWS Security Group to allow traffic from your current IP address.

The following ports will be edited: $PORTS

After running this script, you will be able to access these ports on EC2 instances that use this security group.

This is useful in scenarios where your ISP changes your dynamic IP address randomly.

USAGE:

$0 [AWS REGION] [AWS SECURITY GROUP]
- AWS REGION: the region where your security group is
- AWS SECURITY GROUP - the ID of your security group 
---
"

}

removeIpAddr() {
    for p in $PORTS; do
        echo "-- removing $1 from security group for tcp port $p"
        aws ec2 revoke-security-group-ingress --group-name $AWS_SECURITYGROUP --region $AWS_REGION --cidr $1 --protocol tcp --port $p
    done
}

addIpAddr() {
    ip=$1
    if [[ ! "$ip" =~ "/32" ]]; then
        ip="${1}/32"
    fi

    for p in $PORTS; do
        echo "-- adding $ip to security group for tcp port $p"
        aws ec2 authorize-security-group-ingress --group-name $AWS_SECURITYGROUP --region $AWS_REGION --cidr $ip --protocol tcp --port $p
    done
}

#to download and run bash -c "$(curl -fsSL $raw_gist_path)" $arg0 $arg1
AWS_REGION=$1
AWS_SECURITYGROUP=$2
echo "-- region $1, security group $2"
if [[ -z $AWS_REGION || -z $AWS_SECURITYGROUP ]]; then
    usage && exit
fi

MY_IPADDR=$(wget http://ipinfo.io/ip -qO -)

# TODO filter that gets me ports and Ip addresses
#filter="SecurityGroups[].IpPermissions[].{From:FromPort,To:ToPort,IP:IpRanges[].CidrIp[]}"

IpAddrs=$(aws ec2 describe-security-groups  \
              --group-names $AWS_SECURITYGROUP \
              --region $AWS_REGION \
              --query "SecurityGroups[].IpPermissions[].IpRanges[].CidrIp" \
              --output text)
echo "-- current rules allow the following IPs: $IpAddrs"

# remove all IP rules first
for ip in $IpAddrs; do
    removeIpAddr $ip
done

# add your current IP
addIpAddr $MY_IPADDR

# if [[ "${IpAddrs}" =~ "$MY_IPADDR" ]]; then
#     echo "-- your IP $MY_IPADDR already added to rules"
# else
#     addIpAddr $MY_IPADDR
# fi

ec2_api_tips.sh

# This set of commands edits a security group to allow SSH only from your IP addr. 
# after this command is executed, EC2 instances within that security group will allow SSH from your IP Addr.
# - set the values of AWS_REGION to the region of your choice.
# - set the value of AWS_SECURITYGROUP to a security group already created in that region.
# - First your external IP address is detected.
# - Then the EC2 API is invoked to allow SSH only from your external IP Address.

AWS_REGION=ap-south-1
AWS_SECURITYGROUP="some-security-group-id"
MY_IPADDR=$(wget http://ipinfo.io/ip -qO -)
ec2-authorize -P TCP -p 22 --region ap-south-1 -s $MY_IPADDR/32 $AWS_SECURITYGROUP