Scripts and snippets to help with AWS work
This script runs in Lambda and autoupdates security groups (SG) to allow for egress to Amazon end point services. Just subscribe to the SNS topic for AWS IP range changes and have it trigger this code. Since Amazon doesn't have SG's for all its end points you have to maintain egress filtering to allow instances to communicate to them without having a 0.0.0.0/0 rule for egress. I grabbed some code from the AWS website, but it was built for ingress only and it didn't actually work since it created more than 50 rules in the SG. I added a region filter and adjusted the code to allow for egress.
Adjust the header section to fit your needs and pre-stage the SG's with the appropriate tagging. See below:
SERVICE = "AMAZON"
REGION = "us-west-2"
EGRESS_PORTS = { 'Http' : 80, 'Https': 443 }
SECURITY_GROUP_TAG_FOR_HTTP = { 'Named-Service': 'AMAZON', 'AutoUpdate': 'True', 'Protocol': 'http' } SECURITY_GROUP_TAG_FOR_HTTPS = { 'Named-Service': 'AMAZON', 'AutoUpdate': 'True', 'Protocol': 'https' }
This snippet shows a simple deny IAM roles policy. The example shows how to give a * rule to a group of commands and deny a single command out of the bundle.