10

I have now 5 different security groups which I have tried to organize the best I can.

I sometimes need to open SSH access to some instances depending on what location I am in, so I add the rules from my current IP for inbound port 22. I can get in fine but in order to keep things tidy I would like to be able to specify that this IP is from Glasgow's office, this one's from London, NY etc. but I cannot see a way of putting that little bit or extra information.

We're several guys updating a security group and after a while some are forgetting to remove the temporary rules which can become a bit messy and make things difficult when we want to clean the security group and remove those temporary rules whilst keeping the permanent ones.

I cannot see anything in the docs that would allow me to add this little description beside each rule; did I miss something?

Mark Amery
  • 143,130
  • 81
  • 406
  • 459
Arnaud Bouchot
  • 1,885
  • 1
  • 21
  • 19

4 Answers4

9

The answer to this question has recently changed.

Security group rules now have a Description field

AWS Announcement (August 31st, 2017) https://aws.amazon.com/about-aws/whats-new/2017/08/simplify-management-of-security-groups-with-security-group-rule-descriptions/

Amazon EC2 now allows customers to add a short description to individual security group rules. Using this functionality, customers can add details like when and why a certain security group rule was created or updated. This functionality simplifies management of security groups as customers no longer need to track this information using spreadsheets or documents.

Antonio O.
  • 525
  • 6
  • 14
  • 2
    So using a command like this: `aws ec2 authorize-security-group-ingress --group-id $security_group_id --cidr $(dig +short myip.opendns.com @resolver1.opendns.com)/32 --protocol tcp --port $port` where do I pass in the description? – ndtreviv Oct 16 '17 at 13:33
  • 3
    @ndtreviv from http://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html `aws ec2 authorize-security-group-ingress --group-id sg-123abc12 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "IpRanges": [{"CidrIp": "203.0.113.0/24", "Description": "RDP access from NY office"}]}]'` – Antonio O. Oct 16 '17 at 21:35
  • 1
    Yeah, but if I have other IP protocols for the same range, won't it wipe them out? When you get the security group details it merges them into one group. – ndtreviv Oct 19 '17 at 18:57
1

No you did not miss some thing but there is no way where you can add description to the IPs in the security group. Another way you can arrange is create one master security group to the resource and multiple security groups by name of your office and attach those to the master security groups. And you will have to maintain separate documents for the IP address.

Piyush Patil
  • 14,512
  • 6
  • 35
  • 54
  • I'm already keeping a share document aside which I try to keep updated, unfortunately it's not always getting updated which makes it totally useless overtime, I really like the idea of having the master SG and children ones attached to it per office, it'll suit my needs pretty well I think, sounds like a quick-easy fix I can put in place right now thanks mate. – Arnaud Bouchot Aug 10 '16 at 08:47
1

While there is no description field for security groups, you can (and should) use tags to add metadata to each security group.

I suggest you create tags for each security group called description and provide a detailed description there.

Other tags that can be useful for EC2 object in general are owner, function and environment.

So for an SSH SG, you can define tags like the following:

owner=rodrigo m
function=secure ssh access
environment=production
description=Glasgow's office IP x.x.x.x London Office IP y.y.y.y
updated_on=8/9/2016
Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
0

I'm puzzled here, because it looks like the command

aws ec2 describe-security-groups --generate-cli-skeleton

allows for filters based on tag names and values

{
    "DryRun": true, 
    "GroupNames": [
        ""
    ], 
    "GroupIds": [
        ""
    ], 
    "Filters": [
        {
            "Name": "", 
            "Values": [
                ""
            ]
        }
    ]
}

which would answer directly your question of how to apply metadata to the security group that you want, but I don't see a way in any of the aws cli commands to set that metadata.

The other approach which I've seen used with some success to simplify security groups is to use a VPN configuration that gives your users a stable IP address endpoint, so that rather than poking holes in a security group, you move the trusted endpoint to a VPN that is cryptographically secured.

vielmetti
  • 1,864
  • 16
  • 23