🐙
指定したIPアドレスがSecurityGroup、ALB、WAFに設定されているか確認するためのツールを作りました
はじめに
- 社内で使われるIPアドレスが増えたので
xxx.xxx.xxx.xxx/xx
が設定されている個所にyyy.yyy.yyy.yyy/yy
を追加したい -
zzz.zzz.zzz.zzz/zz
は不要になったので削除したい
AWSリソースがコード管理されていない、かつ普段触る機会が少ないシステムがそれなりに存在するような環境だと、上記のようなケースの際に都度どこに設定すれば良いんだっけという思い出しと調査や設定漏れがないことの確認にそれなりに時間を使っていたので、こちらの課題を解消するために指定したIPアドレスがAWSリソースに設定されているか確認できるツールを作りました。
確認対象のAWSリソースは以下の通りです。
- SecurityGroup Ingress/Egress
- WAFv2/WAFClassicのIPSet
- ALBのListener
コード
使用例
引数で直接IPアドレスを指定するパターン
IPアドレスは複数指定可です。
$ aws-ip-checker ip 0.0.0.0/0 111.111.111.111/32 222.222.222.222/32
AccountId: xxxxxxxxxxxx
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| SERVICE | DETAIL | RESOURCE | ID,ARN | IP |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| SecurityGroup | Ingress, Port: 443 - 443 | sg-test | sg-xxxxxxxxxxxxxxxxx | 111.111.111.111/32 |
+---------------+----------------------------+ + +--------------------+
| SecurityGroup | Ingress, Port: 3306 - 3306 | | | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF v2 | IPSet, Regional | v2-ip-set-ap-northeast-1 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF v2 | IPSet, CloudFront | v2-ip-set-cloudfront | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF Classic | IPSet, Regional | v1-ip-set-ap-northeast-1 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | 222.222.222.222/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF Classic | IPSet, CloudFront | v1-ip-set-cloudfront | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| ALB | Listener, Port: 80 | alb-test | arn:aws:elasticloadbalancing:ap-northeast-1:xxxxxxxxxxxx:listener/app/alb-test/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx | 0.0.0.0/0 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
ファイルを指定するパターン
指定出来るファイルは1つです。
$ cat sample.csv
0.0.0.0/0,111.111.111.111/32,222.222.222.222/32
$ aws-ip-checker file sample.csv
AccountId: xxxxxxxxxxxx
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| SERVICE | DETAIL | RESOURCE | ID,ARN | IP |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| SecurityGroup | Ingress, Port: 443 - 443 | sg-test | sg-xxxxxxxxxxxxxxxxx | 111.111.111.111/32 |
+---------------+----------------------------+ + +--------------------+
| SecurityGroup | Ingress, Port: 3306 - 3306 | | | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF v2 | IPSet, Regional | v2-ip-set-ap-northeast-1 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF v2 | IPSet, CloudFront | v2-ip-set-cloudfront | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF Classic | IPSet, Regional | v1-ip-set-ap-northeast-1 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | 222.222.222.222/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| WAF Classic | IPSet, CloudFront | v1-ip-set-cloudfront | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | 111.111.111.111/32 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
| ALB | Listener, Port: 80 | alb-test | arn:aws:elasticloadbalancing:ap-northeast-1:xxxxxxxxxxxx:listener/app/alb-test/xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx | 0.0.0.0/0 |
+---------------+----------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------+--------------------+
install
Mac(amd64)
$ AWS_IP_CHECKER_VERSION=0.0.3
$ curl -OL https://github.com/kishii4726/aws-ip-checker/releases/download/v${AWS_IP_CHECKER_VERSION}/aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_darwin_amd64.zip
$ unzip aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_darwin_amd64.zip aws-ip-checker
$ sudo cp aws-ip-checker /usr/local/bin
Mac(arm64)
$ AWS_IP_CHECKER_VERSION=0.0.3
$ curl -OL https://github.com/kishii4726/aws-ip-checker/releases/download/v${AWS_IP_CHECKER_VERSION}/aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_darwin_arm64.zip
$ unzip aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_darwin_arm64.zip aws-ip-checker
$ sudo cp aws-ip-checker /usr/local/bin
Linux(amd64)
$ AWS_IP_CHECKER_VERSION=0.0.3
$ curl -OL https://github.com/kishii4726/aws-ip-checker/releases/download/v${AWS_IP_CHECKER_VERSION}/aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_linux_amd64.zip
$ unzip aws-ip-checker_v${AWS_IP_CHECKER_VERSION}_linux_amd64.zip aws-ip-checker
$ sudo cp aws-ip-checker /usr/local/bin
Discussion