読者です 読者をやめる 読者になる 読者になる

[AWS][EC2] セキュリティグループに、SSHとRDPの接続設定を足す(自分のグローバルIPからの通信だけ許可)

上記と組み合わせると、例えばデモの時だけ接続ポート設定が出来ます。
echoServerURLの先には、接続元IPだけを返すJSPPHPをBeanstalkにでも載せておけばOKです。

public class AddSSHandRDPSettings {

  static final List<Integer> targetPortList = Arrays.asList(22, 3389);
  static final String echoServerURL = "接続元IPを返すエコーサービスのURL";
  
  public static void main(String[] args) throws Exception {
    System.out.println("start");
    HttpClient httpClient = new DefaultHttpClient();
    HttpGet get = new HttpGet(echoServerURL);
    HttpEntity entity = httpClient.execute(get).getEntity();
    String globalIP = EntityUtils.toString(entity) + "/32";
    final List<IpPermission> permissionList = new ArrayList<>();
    for (Integer port : targetPortList) {
      IpPermission ip = new IpPermission().withFromPort(port)
          .withToPort(port).withIpRanges(globalIP)
          .withIpProtocol("tcp");
      permissionList.add(ip);
      System.out.println("Permission:" + port + ":" + globalIP);
    }

    AWSCredentials credentials = new PropertiesCredentials(new File(
        "AwsCredentials.properties"));
    AmazonEC2Client ec2 = new AmazonEC2Client(credentials);
    ec2.setRegion(Region.getRegion(Regions.AP_NORTHEAST_1));

    DescribeSecurityGroupsResult describeSecurityGroupsResult = ec2
        .describeSecurityGroups();
    for (SecurityGroup sg : describeSecurityGroupsResult
        .getSecurityGroups()) {

      final List<IpPermission> addPermissionList = new ArrayList<>();
      for (IpPermission ip : permissionList) {
        final List<IpPermission> sgPermissionList = sg
            .getIpPermissions();
        if (hasSamePermission(sgPermissionList, ip) == false) {
          addPermissionList.add(ip);
        }
      }
      if (addPermissionList.size() > 0) {
        for (IpPermission addIp : addPermissionList) {
          System.out.println("Add:" + sg.getGroupId() + ":"
              + sg.getGroupName() + ":" + addIp.getFromPort()
              + ":" + addIp.getIpRanges());
        }
        AuthorizeSecurityGroupIngressRequest req = new AuthorizeSecurityGroupIngressRequest();
        req.setGroupId(sg.getGroupId());
        req.setIpPermissions(addPermissionList);
        ec2.authorizeSecurityGroupIngress(req);
      }
    }
    System.out.println("success");
  }

  private static boolean hasSamePermission(List<IpPermission> targetList,
      IpPermission ip) {
    for (IpPermission target : targetList) {
      if (isSamePermission(target, ip) == true) {
        return true;
      }
    }
    return false;
  }

  private static boolean isSamePermission(IpPermission ipA, IpPermission ipB) {
    final Integer fromPortA = ipA.getFromPort();
    final Integer fromPortB = ipB.getFromPort();
    if (fromPortA != null && fromPortB != null
        && fromPortA.equals(fromPortB) == true) {
      final List<String> rangeAList = ipA.getIpRanges();
      final List<String> rangeBList = ipB.getIpRanges();
      if (rangeAList != null && rangeBList != null
          && rangeAList.size() == rangeBList.size()) {
        for (String rangeA : rangeAList) {
          if (rangeBList.contains(rangeA) == false) {
            return false;
          }
        }
        return true;
      }
    }
    return false;
  }
}