Menu
Is it possible to revoke all the ingress rules in an AWS security group? Is it possible to revoke all the SSH ingress rules? I'm trying with the cli command below, but it's not working:
aws ec2 revoke-security-group-ingress --group-id GroupID --protocol tcp --port 22
500
Based on the suggestion of @kuboon, here is a simpler, working version of that script, tested in zsh. The key differences are:
--output json option--ip-permissions of revoke-security-group-ingress rather than as a fully-formatted command in json (which it is not) that --cli-input-json would require.groupId="your group-id"
aws ec2 revoke-security-group-ingress --group-id $groupId \
--ip-permissions \
"`aws ec2 describe-security-groups --output json --group-ids $groupId --query "SecurityGroups[0].IpPermissions"`"
I ended up writing a Powershell script that uses the AWS CLI to do that.
The script goes through all the regions, looks for the default security group, and deletes all rules in it.
Here it is:
# get all regions
write-host "Getting all regions.."
$regions = ([string](aws ec2 describe-regions --region eu-west-2) | ConvertFrom-Json).Regions.RegionName
write-host "Got them:"
$regions
write-host "-------------------"
write-host ""
# for all regions
foreach ($region in $regions)
{
write-host "Getting default security groups for $region.."
# get all subnets
$groupIds = ([string](aws ec2 describe-security-groups --filters Name=group-name,Values=default --region $region) | ConvertFrom-Json).SecurityGroups.GroupId
foreach ($groupId in $groupIds)
{
write-host "Got it: $groupId"
write-host "Getting all rules.."
$rules = [string](aws ec2 describe-security-groups --group-id $groupId --query "SecurityGroups[0].IpPermissions" --region $region) | ConvertFrom-Json
foreach ($rule in $rules)
{
$protocol = $rule.IpProtocol
$cidr = $rule.IpRanges.CidrIp
$fromPort = $rule.FromPort
$toPort = $rule.ToPort
$cidrIpv6 = $rule.Ipv6Ranges.CidrIpv6
$sourceGroup = $rule.UserIdGroupPairs.GroupId
$sourceGroupUserId = $rule.UserIdGroupPairs.UserId
if ($protocol -eq "icmpv6") {
$protocol = "icmp"
}
if (($protocol -eq "tcp") -Or ($protocol -eq "udp") -Or ($protocol -eq "icmp"))
{
if ($cidr){
if ($fromPort -eq -1){
write-host "Removing rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort" --cidr $cidr --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort" --cidr $cidr --region $region
write-host "Done!"
query
}
else {
write-host "Removing rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort-$toPort" --cidr $cidr --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort-$toPort" --cidr $cidr --region $region
write-host "Done!"
}
}
if ($cidrIpv6){
$json = ('{"IpProtocol": "'+$protocol+'", "FromPort": '+$fromPort+', "ToPort": '+$toPort+', "Ipv6Ranges": [{"CidrIpv6": "'+$cidrIpv6+'"}]}') | ConvertTo-Json
write-host "Removing Ipv6 version of rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region
write-host "Done!"
}
if ($sourceGroup -and $sourceGroupUserId)
{
write-host "Removing SourceGroup rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort-$toPort" --cidr $cidr --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --port "$fromPort-$toPort" --source-group $sourceGroup --group-owner $sourceGroupUserId --region $region
write-host "Done!"
}
}
else
{
if ($cidr){
write-host "Removing rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --cidr $cidr --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --protocol $protocol --cidr $cidr --region $region
write-host "Done!"
}
if ($cidrIpv6){
$json = '{"IpProtocol": "-1", "Ipv6Ranges": [{"CidrIpv6": "'+$cidrIpv6+'"}]}' | ConvertTo-Json
write-host "Removing Ipv6 version of rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region
write-host "Done!"
}
if ($sourceGroup)
{
$json = '{ "IpProtocol": "-1", "UserIdGroupPairs":[{"GroupId":"'+$sourceGroup+'","UserId":"'+$sourceGroupUserId+'"}] }' | ConvertTo-Json
write-host "Removing SourceGroup rule from security group using this command:"
write-host "aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region"
aws ec2 revoke-security-group-ingress --group-id $groupId --ip-permissions $json --region $region
write-host "Done!"
}
}
}
}
write-host "-------------------"
write-host ""
}
N.B. This script cannot delete some rules (custom protocols, Custom ICMP Rule - IPv6), but it works for most rules.
I tested the script on the following set of rules:
This is what is left after running the script:
Hope this helps somebody out there!
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
