Securing Your Network Using Auto-Updating Security Groups
We all know that no ports should be open to the internet for development purposes, but for convenience it’s common to find a security group with port 22 (SSH) open to 0.0.0.0/0
. Even narrower ingress rules can create backdoors.
Here we’ll show you how to create an auto-updating security group that adds your active WAN IP address when you connect. This way, only your active IP is authorized.
Create the “development” security group with no ingress
aws ec2 create-security-group --group-name=development --group-description="ssh access for my dev machine"
Create a limited role that can only update this security group
Since you may want to embed this script on your router or elsewhere, it’s important to generate a restricted access key that can only do one thing Create a user and add this policy
Make sure you put your account id & SG id in the role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1450378262000",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:us-east-1:ACCOUNT-ID:security-group/SECURITY-GROUP-ID"
]
}
]
}
Add a Shell function to automate the process
Put this function into your .bashrc
or .zshrc
so you can trigger it either manually or when you connect to the internet.
aws-open-ssh() {
aws ec2 authorize-security-group-ingress --group-id sg-xxxxxxx --protocol tcp --port 22 --cidr $(dig +short myip.opendns.com @resolver1.opendns.com)/32
}
Run the function and check that your WAN IP has been added
$ aws-open-ssh
# show your wan-ip (yours will be a real addr)
$ dig +short myip.opendns.com @resolver1.opendns.com
192.168.0.1
$ aws ec2 describe-security-groups --group-ids sg-xxxxxxx|jq '.SecurityGroups[].IpPermissions'
[
{
"PrefixListIds": [],
"FromPort": 22,
"IpRanges": [
{
"CidrIp": "192.168.0.1/32"
}
],
"ToPort": 22,
"IpProtocol": "tcp",
"UserIdGroupPairs": []
Attach this group to any development resources you actively connect to.
Now that the security group can be updated, add this group to any development resources, e.g. EC2 instances, RDS instances etc.
With this technique, you won’t be tempted to open ports 22 or 3306 to the internet. By making security-group changes convenient, you keep them more secure.