0

I have below setup on my EC2 Security Gruops:

SecurityGroup1 with Inbound IP 1.1.1.1/32

SecurityGroup2 with Inbound SecurityGroup1
SecurityGroup2 with Inbound IP 2.2.2.2/32

SecurityGroup3 with Inbound SecurityGroup1
SecurityGroup3 with Inbound SecurityGroup2
SecurityGroup3 with Inbound IP 3.3.3.3/32

....

Is there an API that will take the Security Group Id and go thru all the nested Security Groups (n level) and bring the Inbound IP Addresses back along with the IP Addresses of nested group?

For example: If i pass SecurityGroup3, it will bring

3.3.3.3/32,
2.2.2.2/32,
1.1.1.1/32

My environment is Python (boto3)

Asdfg
  • 11,362
  • 24
  • 98
  • 175
  • There is no API that will do this but you can achieve this using CLI command. – Piyush Patil Jul 29 '16 at 20:41
  • you got any example? – Asdfg Jul 29 '16 at 20:42
  • Refer this https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html you can use this example. aws ec2 describe-security-groups --group-ids sg-903004f8 – Piyush Patil Jul 29 '16 at 20:44
  • its same as describe_security_group api call. – Asdfg Jul 29 '16 at 21:07
  • 2
    I'm not sure you understand how security groups work. They don't "nest." Allowing access in group A from group B does not cause B to inherit the rules in A. – Michael - sqlbot Jul 29 '16 at 22:47
  • So if SystemA is compromised because someone open port 22 to the world and SystemB allows traffic from SystemA on port 22 then SystemB is at risk. Isn't that correct? – Asdfg Jul 30 '16 at 05:11
  • Only if you have Port 22 open in SystemB for security group SecurityGroup1 or SecurityGroup2 and SystemA has the private key for SystemB. – John Hanley Jul 25 '18 at 17:22

0 Answers0