如何在CloudFormation中正确地外化SecurityGroupEgress和SecurityGroupIngress

问题描述 投票:1回答:2

使用下面的CloudFormation模板,我可以通过SSH连接到EC2实例。

PublicSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupName: PublicSecurityGroup
        GroupDescription: Public Security Group
        VpcId:
            Ref: Vpc
        SecurityGroupEgress:
            - IpProtocol: "-1"
                FromPort: 0
                ToPort: 65535
                CidrIp: 0.0.0.0/0
        SecurityGroupIngress:
            - IpProtocol: tcp
                FromPort: 22
                ToPort: 22
                CidrIp: 0.0.0.0/0
PublicEc2Instance:
    Type: AWS::EC2::Instance
    Properties:
        ImageId:
            Ref: ImageId
        InstanceType:
            Ref: InstanceType
        KeyName:
            Ref: KeyName
        SecurityGroupIds:
            - Fn::GetAtt:
                    - PublicSecurityGroup
                    - GroupId
        SubnetId:
            Ref: PublicSubnet
        Tags:
            - Key: Name
                Value: PublicEc2Instance

当我将SecurityGroup定义更改为以下结构时

PublicSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupName: PublicSecurityGroup
        GroupDescription: Public Security Group
        VpcId:
            Ref: Vpc
PublicOutboundRule1:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        SourceSecurityGroupId: !Ref PublicSecurityGroup
        IpProtocol: "-1"
        FromPort: 0
        ToPort: 65535
PublicInboundRule1:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        SourceSecurityGroupId: !Ref PublicSecurityGroup
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22

我不能再在EC2实例中进行SSH了。

为什么SecurityGroupEgressSecurityGroupIngress的外部化阻止了对EC2的SSH访问?

谢谢!

amazon-web-services amazon-cloudformation aws-security-group
2个回答
1
投票

您将入口规则中的流量限制为此行中的PublicSecurityGroupSourceSecurityGroupId: !Ref PublicSecurityGroup而不是SourceSecurityGroupId指定您在上部yaml片段中使用的CIDR块:

PublicSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupName: PublicSecurityGroup
        GroupDescription: Public Security Group
        VpcId:
            Ref: Vpc
PublicOutboundRule1:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        IpProtocol: "-1"
        FromPort: 0
        ToPort: 65535
        CidrIp: 0.0.0.0/0

PublicInboundRule1:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
        GroupId: !Ref PublicSecurityGroup
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: 0.0.0.0/0

请注意,我也从您的Egress规则中删除了SourceSecurityGroupId,因为Egress规则不期望源,他们期望目的地(其他SG,CIDR块),因为它们是,好的,出口:)。

1
投票

您没有在AWS :: EC2 :: SecurityGroup和AWS :: EC2 :: SecurityGroupIngress / AWS :: EC2 :: SecurityGroupEgress之间建立正确的关系

在您的第一个描述中,您可以从任何位置访问22端口:SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0

但是在您的第二个定义中,您只能从同一个安全组定义对端口22的访问,因为参数SourceSecurityGroupId指定允许访问的Amazon EC2安全组的ID,并且您希望从0.0.0.0/授予访问权限,不是相同:

SourceSecurityGroupId: !Ref PublicSecurityGroup IpProtocol: tcp FromPort: 22 ToPort: 22

您需要删除SourceSecurityGroupId参数

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.