Zenn
🐙

指定したIPアドレスがSecurityGroup、ALB、WAFに設定されているか確認するためのツールを作りました

2022/09/21に公開
AWS
Go
CLI
tech

はじめに

  • 社内で使われるIPアドレスが増えたのでxxx.xxx.xxx.xxx/xxが設定されている個所にyyy.yyy.yyy.yyy/yyを追加したい
  • zzz.zzz.zzz.zzz/zzは不要になったので削除したい

AWSリソースがコード管理されていない、かつ普段触る機会が少ないシステムがそれなりに存在するような環境だと、上記のようなケースの際に都度どこに設定すれば良いんだっけという思い出しと調査や設定漏れがないことの確認にそれなりに時間を使っていたので、こちらの課題を解消するために指定したIPアドレスがAWSリソースに設定されているか確認できるツールを作りました。

確認対象のAWSリソースは以下の通りです。

- SecurityGroup Ingress/Egress
- WAFv2/WAFClassicのIPSet
- ALBのListener

コード

https://github.com/kishii4726/aws-ip-checker

使用例

引数で直接IPアドレスを指定するパターン

IPアドレスは複数指定可です。

$ aws-ip-checker ip 0.0.0.0/0 111.111.111.111/32 222.222.222.222/32

AccountId: xxxxxxxxxxxx
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
|    SERVICE    |           DETAIL           |         RESOURCE         |                                                      ID,ARN                                                      |         IP         |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| SecurityGroup | Ingress, Port: 443 - 443   | sg-test                  | sg-xxxxxxxxxxxxxxxxx                                                                                             | 111.111.111.111/32 |
+---------------+----------------------------+                          +                                                                                                                  +--------------------+
| SecurityGroup | Ingress, Port: 3306 - 3306 |                          |                                                                                                                  | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF v2        | IPSet, Regional            | v2-ip-set-ap-northeast-1 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                                                                             | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF v2        | IPSet, CloudFront          | v2-ip-set-cloudfront     | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                                                                             | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF Classic   | IPSet, Regional            | v1-ip-set-ap-northeast-1 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                                                                             | 222.222.222.222/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF Classic   | IPSet, CloudFront          | v1-ip-set-cloudfront     | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                                                                             | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| ALB           | Listener, Port: 80         | alb-test                 | arn:aws:elasticloadbalancing:ap-northeast-1:xxxxxxxxxxxx:listener/app/alb-test/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx | 0.0.0.0/0          |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+

ファイルを指定するパターン

指定出来るファイルは1つです。

$ cat sample.csv
0.0.0.0/0,111.111.111.111/32,222.222.222.222/32

$ aws-ip-checker file sample.csv

AccountId: xxxxxxxxxxxx
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
|    SERVICE    |           DETAIL           |         RESOURCE         |                                                      ID,ARN                                                      |         IP         |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| SecurityGroup | Ingress, Port: 443 - 443   | sg-test                  | sg-xxxxxxxxxxxxxxxxx                                                                                             | 111.111.111.111/32 |
+---------------+----------------------------+                          +                                                                                                                  +--------------------+
| SecurityGroup | Ingress, Port: 3306 - 3306 |                          |                                                                                                                  | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF v2        | IPSet, Regional            | v2-ip-set-ap-northeast-1 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                                                                             | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF v2        | IPSet, CloudFront          | v2-ip-set-cloudfront     | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                                                                             | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF Classic   | IPSet, Regional            | v1-ip-set-ap-northeast-1 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                                                                             | 222.222.222.222/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF Classic   | IPSet, CloudFront          | v1-ip-set-cloudfront     | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                                                                             | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| ALB           | Listener, Port: 80         | alb-test                 | arn:aws:elasticloadbalancing:ap-northeast-1:xxxxxxxxxxxx:listener/app/alb-test/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx | 0.0.0.0/0          |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+

install

Mac(amd64)
$ AWS_IP_CHECKER_VERSION=0.0.3
$ curl -OL https://github.com/kishii4726/aws-ip-checker/releases/download/v${AWS_IP_CHECKER_VERSION}/aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_darwin_amd64.zip

$ unzip aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_darwin_amd64.zip aws-ip-checker

$ sudo cp aws-ip-checker /usr/local/bin
Mac(arm64)
$ AWS_IP_CHECKER_VERSION=0.0.3
$ curl -OL https://github.com/kishii4726/aws-ip-checker/releases/download/v${AWS_IP_CHECKER_VERSION}/aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_darwin_arm64.zip

$ unzip aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_darwin_arm64.zip aws-ip-checker

$ sudo cp aws-ip-checker /usr/local/bin
Linux(amd64)
$ AWS_IP_CHECKER_VERSION=0.0.3
$ curl -OL https://github.com/kishii4726/aws-ip-checker/releases/download/v${AWS_IP_CHECKER_VERSION}/aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_linux_amd64.zip

$ unzip aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_linux_amd64.zip aws-ip-checker

$ sudo cp aws-ip-checker /usr/local/bin

Discussion