๐๐บ๐ฝ๐ผ๐ฟ๐๐ฎ๐ป๐ ๐ก๐ผ๐๐ฒ: ๐๐ข๐ฝ๐ถ๐ป๐ถ๐ผ๐ป๐ ๐ฎ๐ฟ๐ฒ ๐บ๐ ๐ผ๐๐ป ๐๐ ๐๐ป๐ฑ ๐ถ๐ ๐ถ๐ ๐บ๐ ๐ฝ๐ฒ๐ฟ๐๐ผ๐ป๐ฎ๐น ๐ฏ๐น๐ผ๐ด.
As you might be already aware that you can copy rules from an existing security group to a new security group within same Account, you can refer to an existing AWS Knowledge Center Article
- But the Challenge comes in when you need to Achieve it "From one AWS Account to another Account."
How to Copy a Security Group with Rules from one Account to Another ?
- Use this Python Script CopySGFromOneAWSAccountToAnotherScript.py , and you will need to provide the following details:
Source Account:
- Access Key
- Secret Key
- Region
- Security Group Id
Destination Account:
- Access Key
- Secret Key
- Region
Script Content
# -*- coding: utf-8 -*-
"""
Created on Wed May 20 13:30:41 2021
@author: nikheel script, blog dinesh
"""
import boto3
sourceAccount={
'AccessKey':'access key',
'SecretKey':'secret key',
'Region':'source region',
'SecurityGroupId': 'security group id'
}
destinationAccount = {
'AccessKey':'access key',
'SecretKey':'secret key',
'Region':'destination region'
}
# ------ Source Account ------ #
#set up boto3 client for source account
client = boto3.client(
"ec2",
region_name = sourceAccount['Region'],
aws_access_key_id=sourceAccount['AccessKey'],
aws_secret_access_key=sourceAccount['SecretKey']
)
# describe security group that will be copied
response = client.describe_security_groups(
GroupIds=[
sourceAccount['SecurityGroupId']
]
)["SecurityGroups"][0]
# extract ingress and egress rules for the security group
ingress = response["IpPermissions"]
egress = response["IpPermissionsEgress"]
# ------ Destination Account ------ #
#set up boto3 client for destination account
client = boto3.client(
"ec2",
region_name = destinationAccount['Region'],
aws_access_key_id=destinationAccount['AccessKey'],
aws_secret_access_key=destinationAccount['SecretKey']
)
# create a new security group in the destination account
groupId = client.create_security_group(
Description='security-group-from-{}'.format(sourceAccount['Region']),
GroupName='security-group-from-{}'.format(sourceAccount['Region'])
)["GroupId"]
# removed all egress rules from newly created security group
clearEgress = client.describe_security_groups(
GroupIds=[groupId]
)["SecurityGroups"][0]["IpPermissionsEgress"]
client.revoke_security_group_egress(
GroupId=groupId,
IpPermissions=clearEgress
)
# create ingress and egress rules for the newly created security group
client.authorize_security_group_ingress(
GroupId=groupId,
IpPermissions=ingress
)
client.authorize_security_group_egress(
GroupId=groupId,
IpPermissions=egress
)
I have structured the above in an easy to view and edit dictionary format. These are the only updates that will be needed to be performed on this script.
For the record, it is not advised to hard code access keys into our scripts as this can be a security risk if the script is accidentally exposed however, in this case, I just wanted to show the main principle of what needed to be done.
Created an example of your particular needs using the Python Boto3 SDK for AWS which you can find with attached script named "CopySGFromOneAWSAccountToAnotherScript.py"
Once you have executed this script, it will perform the following functions in this order:
- describe the security group rule you would like to copy in the source account using the describe_security_groups API call
- from the response obtained, we store the ingress and egress rules into variables for future reference
- we create a new security group in the destination account using the create_security_group API call
- remove all egress rules from the newly created security group using the revoke_security_group_egress API call
- add the egress and ingress rules to the new security group using the API calls authorize_security_group_ingress and authorize_security_group_egress
References
Thanks for reading.
Any feedback, please write it to me here in comments..
Also, ๐ค๐คYou can connect with us ๐ค๐ค
Script Credits - Nikheel Soni
๐๐บ๐ฝ๐ผ๐ฟ๐๐ฎ๐ป๐ ๐ก๐ผ๐๐ฒ: ๐๐ข๐ฝ๐ถ๐ป๐ถ๐ผ๐ป๐ ๐ฎ๐ฟ๐ฒ ๐บ๐ ๐ผ๐๐ป ๐๐ ๐๐ป๐ฑ ๐ถ๐ ๐ถ๐ ๐บ๐ ๐ฝ๐ฒ๐ฟ๐๐ผ๐ป๐ฎ๐น ๐ฏ๐น๐ผ๐ด.
Top comments (0)