pic -1
pic-2
already enqabled conifg u guys enable it
pic-3
pic-4
pic-5
pic-6
pic-7
pic-8
pic-9
here is the code, you can paste it
and deploy it
import json, boto3
ec2 = boto3.client("ec2")
def lambda_handler(event, context):
print("Event:", json.dumps(event))
detail = event["detail"]
if detail.get("newEvaluationResult", {}).get("complianceType") != "NON_COMPLIANT":
return {"status": "skipped - compliant"}
sg_id = detail["resourceId"]
sg = ec2.describe_security_groups(GroupIds=[sg_id])["SecurityGroups"][0]
revoked = []
for perm in sg["IpPermissions"]:
if perm.get("FromPort") == 22 and perm.get("ToPort") == 22:
bad = [r for r in perm.get("IpRanges", []) if r.get("CidrIp") == "0.0.0.0/0"]
if bad:
ec2.revoke_security_group_ingress(
GroupId=sg_id,
IpPermissions=[{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"IpRanges": bad
}]
)
revoked.append(sg_id)
print("Revoked from:", revoked)
return {"revoked": revoked}
pic-10
here edit permissions
pic-11
pic-12
pic-13
pic-14
pic-15
here is the policy
{
"source": ["aws.config"],
"detail-type": ["Config Rules Compliance Change"],
"detail": {
"messageType": ["ComplianceChangeNotification"],
"configRuleName": ["restricted-ssh"],
"newEvaluationResult": {
"complianceType": ["NON_COMPLIANT"]
}
}
}
pic-16
pic-17
pic-18
pic-19
pic-20
poic-21
pic -22
Top comments (0)