问题
The AWS EC2 Security Groups documentation mentions that "Security groups for EC2-VPC have additional capabilities that aren't supported by security groups for EC2-Classic" but the Security Groups dashboard does not provide any information on the "capabilities" of attributes of Security Groups that allow me to distinguish what kind of Security Group I'm looking at or what it is attached to, so that, for example I can't figure out whether I can consolidate Security Groups and share them across EC2 instances (for easier management):
- How do I determine whether a given Security Group is appropriate for a given instance?
- How do I determine whether what instances a Security Group is associated with (I see how to do the inverse in the Instances console)?
回答1:
To find all instances associated with security group My-SG, use the following AWS CLI command:
aws ec2 describe-instances --filters "Name=instance.group-name,Values=My-SG" --query 'Reservations[*].Instances[*].[Tags[?Key==`Name`].Value]' --output text
回答2:
Security groups for EC2-VPC have additional capabilities that aren't supported by security groups for EC2-Classic
This is only relevant if you have an AWS account that actually supports EC2 classic. If the account is less than a few years old you do not have support for EC2 classic. Security groups worked differently in EC2 classic as it was an entirely flat network. With the creation of VPCs security groups are now segregated by VPC.
- How do I determine whether a given Security Group is appropriate for a given instance?
This is entirely up to you and what is on the instance. Security groups are a generic concept and can be applied to any instance. For example, if the instance is running something that needs to contact DynamoDB then you need to have a security group for that instance that supports that interaction. Likewise, if you have an instance that is running a webserver you might want a security group that exposes port 80.
- How do I determine whether what instances a Security Group is associated with (I see how to do the inverse in the Instances console)?
This is can be quite daunting to accomplish via the GUI depending on the number of instances even assuming if you only want to look at EC2 groups and not something like RDS as well. It is most easily accomplished using the CLI and a command like:
$ aws ec2 describe-instances --output text | grep sg-{Some id}
来源:https://stackoverflow.com/questions/44185844/how-do-i-determine-what-a-given-aws-security-group-is-associated-with