0

I have this in my policy to allow only 80 and 443 open to world.

      "or": [
        {
          "Cidr": {
            "value": "0.0.0.0/0"
          }, 
          "type": "ingress", 
          "OnlyPorts": [
            80, 
            443
          ]
        }, 
        {
          "CidrV6": {
            "value": "::/0"
          }, 
          "type": "ingress", 
          "OnlyPorts": [
            80, 
            443
          ]
        }
      ]

Now, I want to allow only 8080 and 8081 to selected security groups, not for all security groups. Is this possible?

SomeGuyOnAComputer
  • 5,414
  • 6
  • 40
  • 72
karthikeayan
  • 4,291
  • 7
  • 37
  • 75

3 Answers3

0

You need to edit particular security groups only. Just open the ports there and that will do it.

Remigiusz
  • 450
  • 3
  • 8
  • If I open ports, it will applied for all the security groups. Is there any way I can add the security group id in policy file? – karthikeayan Apr 17 '19 at 10:41
  • How about creating new sg with the ports open and attaching it to other sgs you want open? – Remigiusz Apr 17 '19 at 10:45
  • Once I create new security group with port open, lambda function will get triggered and it will delete the rules which are open to world. – karthikeayan Apr 17 '19 at 10:48
0

Add a value filter using a key and array of values to exclude the Security Groups you don't want to match

David Filiatrault
  • 146
  • 3
0

For IPV4:

resource: security-group
    filters:
      - tag:c7n_exception: absent
      - type: ingress
        OnlyPorts: [80,443]
        Cidr:
          value: "0.0.0.0/0"

For IPV6:

    resource: security-group
    filters:
      - tag:c7n_exception: absent
      - type: ingress
        OnlyPorts: [80,443]
        CidrV6:
          value: "::/0"

More filters 

filters:
  - and:
            - type: security-group
              key: GroupId
              #key: SecurityGroups[].GroupID  
              op: not-in
              value:
                - sg-0db5e1ab7s8323
Chenna
  • 52
  • 6