Skip to content
This repository has been archived by the owner on Sep 26, 2021. It is now read-only.

Latest commit

 

History

History

authorize-ip

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
index.js
index.js
 
 
test-event.json
test-event.json
 
 
test-event2.json
test-event2.json
 
 

README.md

authorize-ip

AWS Lambda function to authorize the client IP for an EC2 security group.
Meant to be used with Amazon API Gateway.

Setup

IAM role creation

Create a new IAM role with the name aws-lambda-authorize-ip-role. Select the AWS Lambda role type and attach the managed policy AWSLambdaBasicExecutionRole.
Attach an additional inline policy with the following content, replacing REGION, ACCOUNT_ID and GROUP_ID with your desired values:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": "arn:aws:ec2:REGION:ACCOUNT_ID:security-group/GROUP_ID"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeSecurityGroups",
      "Resource": "*"
    }
  ]
}

Notice:

The ec2:DescribeSecurityGroups action currently does not support resource-level permissions; therefore, the * wildcard is used for the Resource element in the statement.

Function configuration

Add the function code to AWS Lambda with the following configuration options:

Key Value
Runtime Node.js 10.x
Handler index.handler
Role aws-lambda-authorize-ip-role
Memory 128 (MB)
Timeout 3 sec

Environment variables

Set the following required environment variables for the Lambda function:

Key Value
groupid The ID of the security group, e.g. "sg-xxxxxxxx".

Set the following optional environment variables for the Lambda function:

Key Value
protocol The protocol to authorize, defaults to "tcp".
port The port to authorize, defaults to 22 (SSH).
description Description for the inbound rule, defaults to "authorize-ip".
keepipranges Comma-separated IP ranges to exclude from cleanup.

Trigger configuration

Add an API Gateway trigger.
This endpoint can then be used to authorize the IP of the requesting client.
test-event.json contains a sample API Gateway event.

To regularly cleanup previously authorized IPs, add a Cloudwatch Events trigger with a cron expression, e.g. cron(0 3 * * ? *) to run at 03:00 am (UTC) every night.
test-event2.json contains sample Cloudwatch Event data.

License

Released under the MIT license.

Author

Sebastian Tschan