Update an AWS security group with your current IP
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
LICENSE
README.md
index.js
package.json
yarn.lock

README.md

AWS Access

aws-access is a command line utility to update an AWS security group with your current IP across one or more regions.

This is a relatively cheap way to lock down access to AWS resources to whitelisted ips. Defaults to whitelisting port 22. Configure ports using the --ports|-P argument.

To use:

  • Step 1: Create security group for whitelisted ips e.g. 'remote-working'
  • Step 2: Assign security group to appropriate resources
  • Step 3: Install aws-access npm install -g aws-access
  • Step 4: Set up aws credentials
  • Step 5: Run aws-access to whitelist your current ip e.g. aws-access -g remote-working

Example

# enable access to SSH and Postgres from the current IP
aws-access -p myprofile -g mysecuritygroup -r us-east-1 eu-west-1 -P 22 5432

Installing

npm install -g aws-access

Prerequisites

  • nodejs 7.6+

Command Line

aws-access

Options:
  -h             Show help                                             [boolean]
  -p, --profile                                                       [optional]
  -g, --group                                                         [required]
  -r, --region                                            [default: "us-east-1"]
  -P, --ports                                          [array] [default: ["22"]]

Security Considerations

  • It's likely that a users IP will be stale over time, potentially allowing access to the AWS resources from unexpected IPs. This is still better than allowing access from the whole internet (i.e. 0.0.0.0/0) but this should be part of a defense in depth i.e. resources that are made accessible via aws-access should also be properly secured.
  • Removing old users from the security group managed by aws-access should be part of any offboarding process
  • If a user is renamed, their old username should be cleaned from the security group managed by aws-access
  • If this is used for multiple users, any of the users have the ability to modify rules set up by other users