- Newest
- Most votes
- Most comments
Hello,
Exporting Security Groups through the management console is primarily a tool that could be used to perform manual audits, as it sounds like is the case here.
For export/import functionality, I would also recommend using the AWS CLI or API. If using the CLI, we can use the aws ec2 describe-security-group-rules command to provide a listing of all rules of a particular group, with output in JSON format (see example).
aws ec2 describe-security-group-rules --filter Name="group-id",Values="sg-0a53fe4abed0bb1e6"
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0c6a87099ccb11a83",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": true,
"IpProtocol": "-1",
"FromPort": -1,
"ToPort": -1,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-013f9801176513efb",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv4": "0.0.0.0/0",
"Description": "Allow SSH",
"Tags": []
}
]
}
Now let's say that we want to add an additional ingress rule to this group, in which case we can use the aws ec2 authorize-security-group-ingress command to insert a rule into a group.
aws ec2 authorize-security-group-ingress --group-id sg-0a53fe4abed0bb1e6 --protocol tcp --port 80 --cidr 0.0.0.0/0
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0ff1df36f6377d6eb",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv4": "0.0.0.0/0"
}
]
}
Now we can again return to use the aws ec2 describe-security-group-rules command to verify the complete group configuration.
aws ec2 describe-security-group-rules --filter Name="group-id",Values="sg-0a53fe4abed0bb1e6"
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0c6a87099ccb11a83",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": true,
"IpProtocol": "-1",
"FromPort": -1,
"ToPort": -1,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-0ff1df36f6377d6eb",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-013f9801176513efb",
"GroupId": "sg-0a53fe4abed0bb1e6",
"GroupOwnerId": "aws_account_number",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv4": "0.0.0.0/0",
"Description": "Allow SSH",
"Tags": []
}
]
}
AWS CLI Describe Security Group Rules https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-security-group-rules.html
AWS CLI Authorize Security Group Ingress https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html
Also, if ongoing validation and remediation of security group configuration is of concern, I would suggest investigating AWS Firewall Manager as you can use it to build security group policies for audit/enforcement/remediation of security group configurations.
https://docs.aws.amazon.com/waf/latest/developerguide/security-group-policies.html
Relevant content
- Accepted Answerasked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago