DEV Community ๐Ÿ‘ฉโ€๐Ÿ’ป๐Ÿ‘จโ€๐Ÿ’ป

Cover image for How to Copy a Security Group with Rules from one AWS Account to Another account ? ๐Ÿงโœ…๐Ÿ‘จโ€๐Ÿ’ป๐Ÿ‘ฉโ€๐Ÿ’ป
Dinesh Rathee
Dinesh Rathee

Posted on

How to Copy a Security Group with Rules from one AWS Account to Another account ? ๐Ÿงโœ…๐Ÿ‘จโ€๐Ÿ’ป๐Ÿ‘ฉโ€๐Ÿ’ป

๐—œ๐—บ๐—ฝ๐—ผ๐—ฟ๐˜๐—ฎ๐—ป๐˜ ๐—ก๐—ผ๐˜๐—ฒ: ๐Ÿ“๐—ข๐—ฝ๐—ถ๐—ป๐—ถ๐—ผ๐—ป๐˜€ ๐—ฎ๐—ฟ๐—ฒ ๐—บ๐˜† ๐—ผ๐˜„๐—ป ๐Ÿ๐Ÿ™‚ ๐—”๐—ป๐—ฑ ๐—ถ๐˜ ๐—ถ๐˜€ ๐—บ๐˜† ๐—ฝ๐—ฒ๐—ฟ๐˜€๐—ผ๐—ป๐—ฎ๐—น ๐—ฏ๐—น๐—ผ๐—ด.

As you might be already aware that you can copy rules from an existing security group to a new security group within same Account, you can refer to an existing AWS Knowledge Center Article

  • But the Challenge comes in when you need to Achieve it "From one AWS Account to another Account."

CMD Line - Copy SG

How to Copy a Security Group with Rules from one Account to Another ?

Source Account:
- Access Key
- Secret Key
- Region
- Security Group Id

Destination Account:
- Access Key
- Secret Key
- Region

Script Content


# -*- coding: utf-8 -*-
"""
Created on Wed May 20 13:30:41 2021
@author: nikheel script, blog dinesh
"""

import boto3

sourceAccount={
        'AccessKey':'access key',
        'SecretKey':'secret key',
        'Region':'source region',
        'SecurityGroupId': 'security group id'
        }
destinationAccount = {
        'AccessKey':'access key',
        'SecretKey':'secret key',
        'Region':'destination region'
        }

# ------ Source Account ------ #

#set up boto3 client for source account

client = boto3.client(
        "ec2",
        region_name = sourceAccount['Region'],
        aws_access_key_id=sourceAccount['AccessKey'],
        aws_secret_access_key=sourceAccount['SecretKey']
        )

# describe security group that will be copied

response = client.describe_security_groups(
        GroupIds=[
                sourceAccount['SecurityGroupId']
                ]
        )["SecurityGroups"][0]

# extract ingress and egress rules for the security group

ingress = response["IpPermissions"]
egress = response["IpPermissionsEgress"]

# ------ Destination Account ------ #

#set up boto3 client for destination account

client = boto3.client(
        "ec2",
        region_name = destinationAccount['Region'],
        aws_access_key_id=destinationAccount['AccessKey'],
        aws_secret_access_key=destinationAccount['SecretKey']
        )

# create a new security group in the destination account

groupId = client.create_security_group(
        Description='security-group-from-{}'.format(sourceAccount['Region']),
        GroupName='security-group-from-{}'.format(sourceAccount['Region'])
        )["GroupId"]

# removed all egress rules from newly created security group

clearEgress = client.describe_security_groups(
        GroupIds=[groupId]
        )["SecurityGroups"][0]["IpPermissionsEgress"]

client.revoke_security_group_egress(
        GroupId=groupId,
        IpPermissions=clearEgress
        ) 

# create ingress and egress rules for the newly created security group   

client.authorize_security_group_ingress(
        GroupId=groupId,
        IpPermissions=ingress
        )
client.authorize_security_group_egress(
        GroupId=groupId,
        IpPermissions=egress
        )


I have structured the above in an easy to view and edit dictionary format. These are the only updates that will be needed to be performed on this script.

For the record, it is not advised to hard code access keys into our scripts as this can be a security risk if the script is accidentally exposed however, in this case, I just wanted to show the main principle of what needed to be done.

Created an example of your particular needs using the Python Boto3 SDK for AWS which you can find with attached script named "CopySGFromOneAWSAccountToAnotherScript.py"

Once you have executed this script, it will perform the following functions in this order:

  1. describe the security group rule you would like to copy in the source account using the describe_security_groups API call
  2. from the response obtained, we store the ingress and egress rules into variables for future reference
  3. we create a new security group in the destination account using the create_security_group API call
  4. remove all egress rules from the newly created security group using the revoke_security_group_egress API call
  5. add the egress and ingress rules to the new security group using the API calls authorize_security_group_ingress and authorize_security_group_egress

Security Group with Rules Copied to another Account

References

Thanks for reading.
Any feedback, please write it to me here in comments..
Also, ๐Ÿค๐Ÿค—You can connect with us ๐Ÿค๐Ÿค—

Script Credits - Nikheel Soni

๐—œ๐—บ๐—ฝ๐—ผ๐—ฟ๐˜๐—ฎ๐—ป๐˜ ๐—ก๐—ผ๐˜๐—ฒ: ๐Ÿ“๐—ข๐—ฝ๐—ถ๐—ป๐—ถ๐—ผ๐—ป๐˜€ ๐—ฎ๐—ฟ๐—ฒ ๐—บ๐˜† ๐—ผ๐˜„๐—ป ๐Ÿ๐Ÿ™‚ ๐—”๐—ป๐—ฑ ๐—ถ๐˜ ๐—ถ๐˜€ ๐—บ๐˜† ๐—ฝ๐—ฒ๐—ฟ๐˜€๐—ผ๐—ป๐—ฎ๐—น ๐—ฏ๐—น๐—ผ๐—ด.

Top comments (0)

Top Heroku Alternatives (For Free)

>> Check out this classic DEV post <<