有效管理 aws 安全组对于维护安全且经济高效的云环境至关重要。安全组是 aws 网络安全的重要组成部分,但随着时间的推移,未使用的安全组会不断累积。这些未使用的组不仅会使您的环境变得混乱,还可能带来安全风险或不必要地增加成本。
在本文中,我们将探讨如何使用 python 和 boto3 识别 aws 环境中未使用的安全组、验证它们并确保它们不被任何其他资源引用。我们还将研究如何安全地确定是否可以删除这些组。
要学习本教程,您需要以下内容:
aws 账户:确保您有权访问要搜索未使用的安全组的 aws 环境。
boto3 已安装:您可以通过运行以下命令来安装 boto3 python sdk:
pip install boto3
已配置 aws 凭证:确保您使用 aws cli 或使用 iam 角色或环境变量直接在代码中配置了 aws 凭证。
立即学习“Python免费学习笔记(深入)”;
让我们看一下代码,用于识别给定 aws 区域中未使用的安全组、验证它们并检查它们是否被任何其他组引用。
import boto3
from botocore.exceptions import clienterror
def get_unused_security_groups(region='us-east-1'):
"""
find security groups that are not being used by any resources.
"""
ec2_client = boto3.client('ec2', region_name=region)
try:
# get all security groups
security_groups = ec2_client.describe_security_groups()['securitygroups']
# get all network interfaces
enis = ec2_client.describe_network_interfaces()['networkinterfaces']
# create set of security groups in use
used_sg_ids = set()
# check security groups attached to enis
for eni in enis:
for group in eni['groups']:
used_sg_ids.add(group['groupid'])
# find unused security groups
unused_groups = []
for sg in security_groups:
if sg['groupid'] not in used_sg_ids:
# skip default security groups as they cannot be deleted
if sg['groupname'] != 'default':
unused_groups.append({
'groupid': sg['groupid'],
'groupname': sg['groupname'],
'description': sg['description'],
'vpcid': sg.get('vpcid', 'ec2-classic')
})
# print results
if unused_groups:
print(f"\nfound {len(unused_groups)} unused security groups in {region}:")
print("-" * 80)
for group in unused_groups:
print(f"security group id: {group['groupid']}")
print(f"name: {group['groupname']}")
print(f"description: {group['description']}")
print(f"vpc id: {group['vpcid']}")
print("-" * 80)
else:
print(f"\nno unused security groups found in {region}")
return unused_groups
except clienterror as e:
print(f"error retrieving security groups: {str(e)}")
return none
def check_sg_references(ec2_client, group_id):
"""
check if a security group is referenced in other security groups' rules
"""
try:
# check if the security group is referenced in other groups
response = ec2_client.describe_security_groups(
filters=[
{
'name': 'ip-permission.group-id',
'values': [group_id]
}
]
)
referencing_groups = response['securitygroups']
# check for egress rules
response = ec2_client.describe_security_groups(
filters=[
{
'name': 'egress.ip-permission.group-id',
'values': [group_id]
}
]
)
referencing_groups.extend(response['securitygroups'])
return referencing_groups
except clienterror as e:
print(f"error checking security group references: {str(e)}")
return none
def validate_unused_groups(region='us-east-1'):
"""
validate and provide detailed information about unused security groups
"""
ec2_client = boto3.client('ec2', region_name=region)
unused_groups = get_unused_security_groups(region)
if not unused_groups:
return
print("\nvalidating security group references...")
print("-" * 80)
for group in unused_groups:
group_id = group['groupid']
referencing_groups = check_sg_references(ec2_client, group_id)
if referencing_groups:
print(f"\nsecurity group {group_id} ({group['groupname']}) is referenced by:")
for ref_group in referencing_groups:
print(f"- {ref_group['groupid']} ({ref_group['groupname']})")
else:
print(f"\nsecurity group {group_id} ({group['groupname']}) is not referenced by any other groups")
print("this security group can be safely deleted if not needed")
要运行脚本,只需执行 validate_unused_groups 函数即可。例如,当区域设置为 us-east-1 时,脚本将:
Found 5 unused security groups in us-east-1: -------------------------------------------------------------------------------- Security Group ID: sg-12345678 Name: unused-sg-1 Description: Unused security group VPC ID: vpc-abcde123 -------------------------------------------------------------------------------- Security Group sg-12345678 (unused-sg-1) is not referenced by any other groups This security group can be safely deleted if not needed -------------------------------------------------------------------------------- Security Group ID: sg-23456789 Name: unused-sg-2 Description: Another unused group VPC ID: vpc-abcde123 -------------------------------------------------------------------------------- Security Group sg-23456789 (unused-sg-2) is referenced by: - sg-34567890 (some-other-sg)
使用此脚本,您可以自动执行在 aws 中查找未使用的安全组的过程,并确保您不会保留不必要的资源。这有助于减少混乱、改善安全状况,并可能通过删除未使用的资源来降低成本。
您可以将此脚本扩展为:
确保您的 aws 环境安全且组织良好!
以上就是使用 Python 和 Boto3 查找并验证 AWS 中未使用的安全组的详细内容,更多请关注php中文网其它相关文章!
每个人都需要一台速度更快、更稳定的 PC。随着时间的推移,垃圾文件、旧注册表数据和不必要的后台进程会占用资源并降低性能。幸运的是,许多工具可以让 Windows 保持平稳运行。
广告Copyright 2014-2025 https://www.php.cn/ All Rights Reserved | php.cn | 湘ICP备2023035733号
211
收藏
