Wednesday, August 5, 2015

Powershell: Automating AWS Security Groups

To provision and manage EC2-Instances in AWS cloud that comply with industry standards and regulations, Individuals administrating that should understand the security mechanisms within AWS framework—both those that are automatic and those that require configuration.Let’s take a look at Security Group which falls under the latter category.

As there is no "Absolute Security Group" which can be plugged in to satisfy the universal need, we should always be open for its modification.Automating so via Powershell will provide predictable/consistent results.

What Is Security Group?

Every VM created through AWS Management Console (or via scripts) can have association with one or multiple Security Groups (in case of VPC it can be up to 5). By default all the inbound and out bound traffic flow at instance level is blocked from elsewhere. We should automate the infrastructure to open only the ports satisfying the customer need. This implies that we should add rules to each Security Group for ingress/ egress as per customer requirement.For more details have a look at AWS Security Group

It is duly important to allow traffic only from valid source IP addresses; this will substantially prune security attack surface, use of 0.0.0.0/0 as IP range makes things vulnerable for sniffing or tampering of infrastructure. Traffic between VMs should always traverses through Security Groups, we can achieve this by allowing initiators Security Group- ID as source. 

Automation Script

I have kept this as a single block ,if one wishes they can create a function out of it. few things worth considering :
  • Execution of this script will only materialize given working pair of Secret Key & Access Key
  • This script make use of filtering functionality, whereby it expect end user to provide some Name-Pattern ,selection of Security Group is driven by aforementioned pattern
  • To facilitate the whole operation you have to provide certain parameters i.e.[IpProtocol , FromPort , ToPort , Source]
  • Source parameter can be interpreted in two ways, you can either provide IpRanges in CIDR block format or choose another Security Group as source in the from of UserIdGroupPair
<#
    .SYNOPSIS
    Simple script to safely assign/revoke Ingress Rules from VPC Security Group .
    
    .DESCRIPTION
    Script first checks to see what are the rules has beein specified for update,if already assigned will do no harm. 
    If assginement is successful, same can be verified at AWS console.
    
    NOTE:  Script must be updated to include proper pattern, security credentials.
#>

# Update the following lines, as needed:

Param(
          [string]$AccessKeyID="**********",
          [string]$SecretAccessKeyID="********",
          [string]$Region="us-east-1",
          [string]$GrpNamePattern="*vpc-sg-pup_winC*",
          [string]$GroupId="sg-xxxxxxxx",
          [string]$CidrIp="0.0.0.0/0",
          [switch]$SetAws=$true,
          [switch]$Revoke,
          [switch]$Rdp=$true,
          [switch]$MsSql=$true
         )

     $InfoObject = New-Object PSObject -Property @{
        AccessKey = $AccessKeyID
        SecretKey = $SecretAccessKeyID
        Region=$Region
        GrpNamePattern = $GrpNamePattern
        GroupId=$GroupId
        CidrIp=$CidrIp
}
if($SetAws)
    {
 Set-AWSCredentials -AccessKey $InfoObject.AccessKey  -SecretKey $InfoObject.SecretKey 
 Set-DefaultAWSRegion -Region $region
    }
       $PublicGroup = New-Object Amazon.EC2.Model.UserIdGroupPair
       $PublicGroup.GroupId= $InfoObject.GroupId

       $filter_platform = New-Object Amazon.EC2.Model.Filter -Property @{Name = "group-name"; Values = $InfoObject.GrpNamePattern}
       $SG_Details=Get-EC2SecurityGroup -Filter $filter_platform |SELECT GroupId, GroupName

       $rdpPermission = New-Object Amazon.EC2.Model.IpPermission -Property @{IpProtocol="tcp";FromPort=3389;ToPort=3389;UserIdGroupPair=$PublicGroup}

       $mssqlPermission = New-Object Amazon.EC2.Model.IpPermission -Property @{IpProtocol="tcp";FromPort=1433;ToPort=1433;IpRanges=$InfoObject.CidrIp}
       $permissionSet = New-Object System.Collections.ArrayList

     if($Rdp){ [void]$permissionSet.Add($rdpPermission) }

if($MsSql){ [void]$permissionSet.Add($mssqlPermission) }

   if($permissionSet.Count -gt 0)
  {
   try{
if(!$Revoke){
      "Granting to $($SG_Details.GroupName)"
       Grant-EC2SecurityGroupIngress -GroupId $SG_Details.GroupId -IpPermissions $permissionSet 
 }
  else{
  "Revoking to $($SG_Details.GroupName)"
  Revoke-EC2SecurityGroupIngress -GroupId $SG_Details.GroupId -IpPermissions $permissionSet
}
    }
catch{
if($Revoke){
Write-Warning "Could not revoke permission to $($SG_Details.GroupName)"
}
          else{
Write-Warning "Could not grant permission to $($SG_Details.GroupName)"
   }
    }
}


what we are looking at being able to automate Creation/updation of Security Group.Use this script in case you ran into frequent changing of Security Groups.

P.S. This script has been written keeping VPC  in mind, Different parameter usage between VPC and EC2 security groups should be take care of.

21 comments:

  1. Thanks for providing this informative information you may also refer
    http://www.s4techno.com/blog/2016/07/11/awk-scripting/

    ReplyDelete
  2. I have read this post. collection of post is a nice one AWS Online Training Bangalore

    ReplyDelete