How to allow certain ports open to world only for certain security groups in Cloud Custodian?

问题

I have this in my policy to allow only 80 and 443 open to world.

      "or": [
        {
          "Cidr": {
            "value": "0.0.0.0/0"
          }, 
          "type": "ingress", 
          "OnlyPorts": [
            80, 
            443
          ]
        }, 
        {
          "CidrV6": {
            "value": "::/0"
          }, 
          "type": "ingress", 
          "OnlyPorts": [
            80, 
            443
          ]
        }
      ]

Now, I want to allow only 8080 and 8081 to selected security groups, not for all security groups. Is this possible?

回答1:

You need to edit particular security groups only. Just open the ports there and that will do it.

回答2:

Add a value filter using a key and array of values to exclude the Security Groups you don't want to match

回答3:

For IPV4:

resource: security-group
    filters:
      - tag:c7n_exception: absent
      - type: ingress
        OnlyPorts: [80,443]
        Cidr:
          value: "0.0.0.0/0"

For IPV6:

    resource: security-group
    filters:
      - tag:c7n_exception: absent
      - type: ingress
        OnlyPorts: [80,443]
        CidrV6:
          value: "::/0"

More filters

filters:
  - and:
            - type: security-group
              key: GroupId
              #key: SecurityGroups[].GroupID  
              op: not-in
              value:
                - sg-0db5e1ab7s8323

来源：https://stackoverflow.com/questions/55725034/how-to-allow-certain-ports-open-to-world-only-for-certain-security-groups-in-clo

标签

amazon-ec2

policy

aws-security-group

standards-compliance

cloudcustodian

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!