-
Securing Your Network Using Auto-Updating Security Groups
We all know that no ports should be open to the internet for development purposes, but for convenience it’s common to find a security group with port 22 (SSH) open to
0.0.0.0/0
. Even narrower ingress rules can create backdoors.Here we’ll show you how to create an auto-updating security group that adds your active WAN IP address when you connect. This way, only your active IP is authorized.
Create the “development” security group with no ingress
aws ec2 create-security-group --group-name=development --group-description="ssh access for my dev machine"
Create a limited role that can only update this security group
Since you may want to embed this script on your router or elsewhere, it’s important to generate a restricted access key that can only do one thing Create a user and add this policy