-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathenforce-sg-rules.py
114 lines (94 loc) · 4.71 KB
/
enforce-sg-rules.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/python
import boto
import boto3
from boto import ec2
import yaml
#client = boto3.client('ec2', region_name='us-east-1',aws_access_key_id='XXXXXXXXXXXXXXX',aws_secret_access_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
client = boto3.client('ec2', region_name='us-east-1')
# Load yaml file with the SG defintions
with open(r'SecurityGroups.yaml') as file:
localSGs = yaml.load(file, Loader=yaml.FullLoader)
ruleFound=False
# Go through the SG list in the YAML definition file
for sg in localSGs['SecurityGroups']:
print ("Checking security group: " , sg['GroupName'])
# get SG rules from AWS
awsSGs = client_account.describe_security_groups(GroupNames=[sg['GroupName']])
# Go through the AWS SG rules and find rules which don't exist in the YAML file. Delete rules if needed form the SG
for awsSG in awsSGs['SecurityGroups']:
for awsRule in awsSG['IpPermissions']:
#print ("\nChecking if the AWS SG ingress rule exists in local YAML file:\n" , awsRule, "\n")
ruleFound=False
for localRule in sg['IpPermissions']:
#print ("Local rule: ", localRule)
if localRule == awsRule:
print ("\nThe ingress rule has been found in local YAML file \n")
ruleFound=True
break
# If rule was not found , remove it from the AWS SG
if ruleFound != True:
print ("\nThe ingress rule was not found in the local YAML, delete the illegal rule ...\n")
#print (awsRule)
data = client_account.revoke_security_group_ingress(
GroupId=awsSG['GroupId'],
DryRun=False,
IpPermissions=[awsRule]
)
ruleFound=False
for awsRule in awsSG['IpPermissionsEgress']:
#print ("\nChecking if the AWS SG Egress rule exists in local YAML file:\n" , awsRule, "\n")
ruleFound=False
for localRule in sg['IpPermissionsEgress']:
#print ("Local rule: ", localRule)
if localRule == awsRule:
print ("\nThe Egress rule has been found in local YAML file \n")
ruleFound=True
break
# If rule was not found , remove it from the AWS SG
if ruleFound != True:
print ("\nThe Egress rule was not found in the local YAML, delete the illegal rule ...\n")
#print (awsRule)
data = client_account.revoke_security_group_egress(
GroupId=awsSG['GroupId'],
DryRun=False,
IpPermissions=[awsRule]
)
# Go through the rules in the yaml file and compare them with the existing rules in AWS SG
for localRule in sg['IpPermissions']:
#print ("\nChecking if the local ingress rule exists in the AWS SG:\n" , localRule, "\n")
ruleFound=False
for awsSG in awsSGs['SecurityGroups']:
for awsRule in awsSG['IpPermissions']:
#print ("AWS rule: ", awsRule)
if localRule == awsRule:
print ("\nThe ingress rule has been found in the AWS SG\n")
ruleFound=True
break
# If rule was not found , add it to the SG
if ruleFound != True:
print ("The ingress rule was not found in the AWS SG, trying to create missing rule...")
#print (localRule)
data = client_account.authorize_security_group_ingress(
GroupId=awsSG['GroupId'],
DryRun=False,
IpPermissions=[localRule]
)
for localRule in sg['IpPermissionsEgress']:
#print ("\nChecking if the local Egress rule exists in the AWS SG:\n" , localRule, "\n")
ruleFound=False
for awsSG in awsSGs['SecurityGroups']:
for awsRule in awsSG['IpPermissionsEgress']:
#print ("AWS rule: ", awsRule)
if localRule == awsRule:
print ("\nThe Egress rule has been found in the AWS SG\n")
ruleFound=True
break
# If rule was not found , add it to the SG
if ruleFound != True:
print ("The Egress rule was not found in the AWS SG, trying to create missing rule...")
#print (localRule)
data = client_account.authorize_security_group_egress(
GroupId=awsSG['GroupId'],
DryRun=False,
IpPermissions=[localRule]
)