Automatically add current public IP to Security Group to allow traffic on specific port

Every time I change my public IP I have to add the new IP to Security group in the AWS console to allow traffic on port 22.

Is there any way to automatice this? I mean that on every change of public IP run a script (in OSX) to add the new IP to my Security group for allow traffic on port 22.

Thanks!


Solution 1:

I believe there are multiple ways of doing this. But I can share the way i have been doing this for a while using Python. I have no experience with OSX but i would assume it comes pre-installed with Python, so you should be able to do this. One caveat though, i had to install the boto, which is a Python interface to AWS for API calls. Definitely you can also accomplish the same thing with EC2 CLI Tools.

Boto installation instructions can be found here -

http://boto.readthedocs.org/en/latest/getting_started.html

import boto.ec2
conn=boto.ec2.connect_to_region('us-east-1')
conn.authorize_security_group(group_name='my_sec_group', ip_protocol='tcp', from_port='22', to_port='22', cidr_ip='1.2.3.4/32')

Steps -

Import the necessary module
Connect to any region
Use authorize_security_group and specify the security group name, protocol, to/from port and your IP.

Solution 2:

You can use aws_ipadd command to easily update and Manage AWS security group rules and whitelist your public ip whenever it's changed.

$ aws_ipadd my_project_ssh
 Your IP 10.10.1.14/32 and Port 22 is whitelisted successfully.

$ aws_ipadd my_project_ssh
 Modifying existing rule...
 Removing old whitelisted IP '10.10.1.14/32'.
 Whitelisting new IP '10.4.10.16/32'.
 Rule successfully updated!

Solution 3:

I just put together a script which does this update automagically. Might be useful for others, although it was just written for personal use:

import boto.ec2
import requests

LAST_IP_FILENAME = 'last_ip.txt'
AWS_REGION = '{your aws region}'
GROUP_NAME = '{the security group you wanna update}'
FROM_PORT = {from port}
TO_PORT = {to port}

AMAZON_IP_ENDPOINT = 'http://checkip.amazonaws.com/'

def get_last_ip():
    try:
        with open(LAST_IP_FILENAME, 'r') as fp:
            ip = fp.readline().strip()
    except:
        ip = None
    return ip

def get_connection():
    return boto.ec2.connect_to_region(AWS_REGION)

def get_security_group(conn, group_name):
    return [s for s in conn.get_all_security_groups() if s.name == group_name].pop()

def delete_ip(sg, ip):
    if not sg.revoke('tcp', FROM_PORT, TO_PORT, cidr_ip=ip):
        raise Exception('Removing ip from security group failed')

def get_current_ip():
    resp = requests.get(AMAZON_IP_ENDPOINT)
    resp.raise_for_status()
    return resp.content.strip() + '/32'

def add_new_ip(ip):
    if not sg.authorize('tcp', FROM_PORT, TO_PORT, cidr_ip=ip):
        raise Exception('Adding ip to security group failed')

def save_new_ip(ip):
    with open(LAST_IP_FILENAME, 'w') as fp:
        fp.write(ip + '\n')

if __name__ == '__main__':
    last_ip = get_last_ip()
    current_ip = get_current_ip()

    if last_ip == current_ip:
        print 'Last ip and current ip are the same.. abort.'
        exit(0)

    conn = get_connection()
    sg = get_security_group(conn, GROUP_NAME)
    if last_ip is not None:
        print 'Found old ip {}'.format(last_ip)
        delete_ip(sg, last_ip)
        print '    ..deleted successfully..'
    else:
        print 'No old ip was found..'

    print 'Current ip is {}'.format(current_ip)
    add_new_ip(current_ip)
    print '    ..updated successfully'
    save_new_ip(current_ip)

Solution 4:

You should use VPN which can be open for whole Internet and SSH to your servers just thru VPN. It will works well, security is good (if you can handle your certificates well) and you don't need to detect your IP has been changed. And there is another benefit - you don't want to allow every hotel, train station or mobile you're using when traveling.

Or you can just open port 22 to Internet at all, it is safe if you're using keys and have disabled password-only auth.

Solution 5:

https://github.com/jamiemccrindle/aws-access is a node command line tool to keep an AWS security group up to date with your current IP address e.g.

# install aws-access
npm install -g aws-access

# add current ip address to a security g
aws-access -g remote-working -r us-east-1