In today’s ever-evolving digital landscape, managing the security of your cloud resources is paramount. Whether you’re provisioning instances for a public-facing application or deploying them within a private network, ensuring the appropriate security measures are in place can be a time-consuming task. But what if you could streamline this process, making it more efficient and less error-prone? In this blog, we’ll explore an ingenious solution that leverages AWS Lambda functions to automatically assign security groups to instances based on their public or private nature. Say goodbye to the hassle of manual security group management and hello to a smarter, more automated AWS workflow that ensures the right level of security for each instance, all with just a trigger. Join us as we dive into the world of instance security automation and discover how this powerful technique can simplify your cloud management tasks and enhance your AWS infrastructure.
Step 1. Create private and public subnet in a VPC
Step 2: Create Security Group for Private and Public InstancesStep 3: Create a Lambda Function Step 4: Goto Amazon Event Bridge and create a Rule
OR
import json import boto3 from botocore.exceptions import ClientError client= boto3.client(‘ec2’) def lambda_handler(event, context): try: #print(json.dumps(event)) instance=event[‘detail’][‘responseElements’][‘instancesSet’][‘items’][0][‘instanceId’] print(instance) subnet=event[‘detail’][‘responseElements’][‘instancesSet’][‘items’][0][‘subnetId’] print(subnet) if subnet==’<private-subnet-id>’: client.modify_instance_attribute(InstanceId=str(instance), Groups=[‘<private-security-group-id>’]) #private elif subnet==’<public-subnet-id>’: client.modify_instance_attribute(InstanceId=str(instance), Groups=[‘<public-security-group-id’]) #public else: pass except ClientError as e: print(e)
NOTE: Before triggering CloudTrail Log we have to create a Trail in Cloud Trail , otherwise we can not get CloudTrail log in CloudWatch!
- Create rule form CloudWatch Event>> Rules.
- Creating A Rule, create a name
- Select event pattern
- Event matching pattern select>> Predefined pattern by service
- Select Service Provider >>AWS
- Select Service name>>EC2
- Select Event type>>AWS API call vai CloudTrail
- Select Specific operation: RunInstances (should define)
Use code custom events like the following in the custom code section.
Step 5: Create an Instance with any Public or Private subnet and default Security groupStep 6: Goto CloudTrail Log (Event history) and Observe RunInstances EventType where we can see all the details of the Running Instance logs. Step 7: Goto CloudWatch log and see the event log form CloudTrail and lambda log will be created after triggering the function.Step 8: The security group of the running Instance will automatically change to private or public security group according to the instance running on the subnet type private or public respectively.
{ “source”: [“aws.ec2”], “detail-type”: [“AWS API Call via CloudTrail”], “detail”: { “eventSource”: [“ec2.amazonaws.com”], “eventName”: [“RunInstances”] } }
- From AWS Management Console, in a new go to Services>>Cloudtrail in a new tab.
- Click on Create trial and create a trial leaving everything to default.
- Go back to the Eventbridge tab.
