Amazon AWS makes it really easy for anybody to create and update firewall rules that provide access to the virtual machines inside AWS. Within seconds you can add your own IP address so you can work from home or the office. However, it is also very easy to forget to remove them once your are finished. The utility aws-sg-revoker , will help you maintain your firewall rules.
aws-sg-revoker inspects all your inbound access permission and compares them with the public IP addresses of the machines in your AWS account. For grants to IP addresses not found in your account, it will generate a aws CLI revoke command. But do not be afraid: it only generates, it does not execute it directly. You may want to investigate before removal. Follow the following 4 steps to safeguard your account!
step 1. Investigate
First run the following command to generate a list of all the IP address ranges that are referenced but not in your account.aws-sg-revoker -l 1.2.3.4 x.y.z. 4.5.6.7. hostname.com. 5.5.123.4 a.b.c. 8.9.10.11/16 ....You may find that you have to install jq and the aws CLI :-)
step 2. Exclude known addresses
Exclude the ip addresses that are ok. These addresses are added as regular expressions.aws-sg-revoker -l -w 1.2.3.4 -w 8.9.10.11/16
step 3. generate revoke commands
Once you are happy, you can generate the revoke commands:aws-sg-revoker -w 1.2.3.4 -w 4.5.6.7 -w 8.9.10.11/16 aws ec2 revoke-security-group-ingress --group-id sg-aaaaaaaa --port 22-22 --protocol tcp --cidr 5.5.123.4/32 # revoke from sg blablbsdf aws ec2 revoke-security-group-ingress --group-id sg-aaaaaaaa --port 9200-9200 --protocol tcp --cidr 5.5.123.4/32 # revoke from sg blablbsdf aws ec2 revoke-security-group-ingress --group-id sg-aaaaaaaa --port 9080-9080 --protocol tcp --cidr 5.5.123.4/32 # revoke from sg blablbsdf aws ec2 revoke-security-group-ingress --group-id sg-bbbbbbbb --protocol -1 --cidr 5.5.123.4/32 # revoke from sg sg-1 aws ec2 revoke-security-group-ingress --group-id sg-bbbbbbbb --protocol -1 -cidr 5.5.123.4/32 # revoke from sg sg-3
step 4. Execute!
If the revokes look ok, you can execute them by piping them to a shell:aws-sg-revoker -w 1.2.3.4 -w 8.9.10.11/16 | tee revoked.log | bash
conclusion
This utility makes it easy to for you to regularly inspect and maintain your firewall rules and keep your AWS resources safe!Written by
Cristiana
Some bio goes here
A
- Agent-Oriented Architecture
- Agentic AI Alignment
- Agentic AI for Customer Engagement
- Agentic AI for Decision Support
- Agentic AI for Knowledge Management
- Agentic AI for Predictive Operations
- Agentic AI for Process Optimization
- Agentic AI for Workflow Automation
- Agentic AI Safety
- Agentic AI Strategy
- Agile Development
- Agile Development Methodology
- AI Agents for IT Service Management
- AI for Compliance Monitoring
- AI for Customer Sentiment Analysis
- AI for Demand Forecasting
- AI for Edge Computing (Edge AI)
- AI for Energy Consumption Optimization
- AI for Predictive Analytics
- AI for Predictive Maintenance
- AI for Real Time Risk Monitoring
- AI for Telecom Network Optimization
- AI Governance Frameworks
- AI Implementation Approach
- AI Implementation Methodology
- AI in Cybersecurity
- AI Orchestration
- AI Performance Measurement (KPIs, ROI)
- AI Use-Case Discovery
- AI Use-Case Prioritization
- AI-Driven Business Transformation
- AI-Driven Cybersecurity Solutions
- Algorithm
- API Integration
- API Management
- Application Modernization
- Applied & GenAI
- Artificial Intelligence
- Artificial Neural Network
- Augmented Reality
- Autonomous AI Agents