使用下面的CloudFormation模板,我可以通过SSH连接到EC2实例。
PublicSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: PublicSecurityGroup
GroupDescription: Public Security Group
VpcId:
Ref: Vpc
SecurityGroupEgress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
PublicEc2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Ref: ImageId
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroupIds:
- Fn::GetAtt:
- PublicSecurityGroup
- GroupId
SubnetId:
Ref: PublicSubnet
Tags:
- Key: Name
Value: PublicEc2Instance
当我将SecurityGroup
定义更改为以下结构时
PublicSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: PublicSecurityGroup
GroupDescription: Public Security Group
VpcId:
Ref: Vpc
PublicOutboundRule1:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref PublicSecurityGroup
SourceSecurityGroupId: !Ref PublicSecurityGroup
IpProtocol: "-1"
FromPort: 0
ToPort: 65535
PublicInboundRule1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref PublicSecurityGroup
SourceSecurityGroupId: !Ref PublicSecurityGroup
IpProtocol: tcp
FromPort: 22
ToPort: 22
我不能再在EC2实例中进行SSH了。
为什么SecurityGroupEgress
和SecurityGroupIngress
的外部化阻止了对EC2的SSH访问?
谢谢!
您将入口规则中的流量限制为此行中的PublicSecurityGroup
:SourceSecurityGroupId: !Ref PublicSecurityGroup
而不是SourceSecurityGroupId
指定您在上部yaml片段中使用的CIDR块:
PublicSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: PublicSecurityGroup
GroupDescription: Public Security Group
VpcId:
Ref: Vpc
PublicOutboundRule1:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref PublicSecurityGroup
IpProtocol: "-1"
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
PublicInboundRule1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref PublicSecurityGroup
IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
请注意,我也从您的Egress规则中删除了SourceSecurityGroupId
,因为Egress规则不期望源,他们期望目的地(其他SG,CIDR块),因为它们是,好的,出口:)。
您没有在AWS :: EC2 :: SecurityGroup和AWS :: EC2 :: SecurityGroupIngress / AWS :: EC2 :: SecurityGroupEgress之间建立正确的关系
在您的第一个描述中,您可以从任何位置访问22端口:SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
但是在您的第二个定义中,您只能从同一个安全组定义对端口22的访问,因为参数SourceSecurityGroupId指定允许访问的Amazon EC2安全组的ID,并且您希望从0.0.0.0/授予访问权限,不是相同:
SourceSecurityGroupId: !Ref PublicSecurityGroup
IpProtocol: tcp
FromPort: 22
ToPort: 22
您需要删除SourceSecurityGroupId参数