-1

I am using Amazon API via a Lambda function to allow my teammates access my server. Using post method I am invoking this lambda function to add teammate's IPs in inbound rule.

I want to add IPs to an existing rule like this add IPs in single rule but there is no method/action available in AWS API Documentation. Only available methods are these, the first one every time creates a new rule with IP everytime like this (even when everything is same, ports, protocol and description) and the second one is to just change rule description. authorize_security_group_ingress and update_security_group_rule_descriptions_ingress

Please help me what shall I do? Is there any python script available for the same that is to add IP to an existing rule instead of creating new rule.

zamp
  • 1
  • 1

1 Answers1

0

I believe that the first example is still expanded to the separate rules.

You can use Managed Prefix Lists if you want and add/remove IPs there. You can then reference the prefix list in your Security Groups.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • I created a security group and a prefixed list, when I am trying to add that prefix list to an inbound rule in my security group I get this error: The maximum number of rules per security group has been reached. I do not have any other rules in the security group and neither in any other group. I made prefix list with one entry and also tried without any entry but still getting same error. – zamp Apr 30 '21 at 05:35
  • @zamp It depends what PrefixList size did you specify. If you created a PL with 500 entries it will try to allocate 500 slots in the SG even if not all are populated because it has to have space for it for when you update the PL entries. Create a smaller PrefixList ;) – MLu Apr 30 '21 at 05:40
  • You are right, it works for less than 60 max entries, but all in vain as I can't add my 64 team mates. Do you know any method for the same? – zamp Apr 30 '21 at 06:40
  • @zamp Create 2 security groups and assign them both to the instance. That’s the easiest way. Or use bigger address blocks - typically people in the same area will use just a handful of ISPs and may be assigned similar addresses, eg instead of 192.0.64.12/32, 192.0.65.154/32 and 192.0.67.243/32 I would permit the ISP’s range 192.0.64.0/22 to cover them all. It’s slightly less secure but still it blocks out 99.99xx% of the internet. Plus you won’t have to update the SG if their IP changes. – MLu Apr 30 '21 at 11:13