You are given the task to only allow access to certain AWS resources to the office you work in. You create a Security Group and ask a colleague for the external IP address range assigned to the office. He tells you that there is not static range. The office, along with the rest of the building, share a commercial ISP with dynamic addresses. In addition to that, there is not one but three IPSs that are load balanced for outgoing traffic. The external IP address of the machine you’re working on can theoretically change on a per request basis.
You decide there’s nothing you can do about the rest of the building being able to access the resources. It isn’t a security threat if they can and there no obvious way that they would be able to find the resources. You decide you’ll write a Python script that gets your public IP address. It will then calculate if that address is in the list of address ranges you already know about. If the address is in the range then everything is good. If the address isn’t in the range then the script will calculate a new range so you can go update the Security Group.
After an hour or so you have the following script working:
Whenever someone in your office complains that they can’t access the resources they need you simple have them run this script. If it states that the existing range should match then you have your colleague run the script several times spaced several minutes apart. This should allow the script to catch the new IP address the ISP is using.
You decide that having to have your colleagues run this script whenever their work is interrupted is not sufficient. You want to have the script run on a schedule and update the Security Group on it’s own. You append the following to the python script to facilitate the automatic updates:
You schedule the following shell script to run every week day at 6:00 AM to update the Security Group before the work day begins:
Everyone in the office is happy knowing that the resources on AWS are safe and they don’t have to worry about not being able to access them themselves.