Search code examples
javaamazon-web-servicessdk

How to list the rules for a security group using AWS java SDK

The motivation here is to create a way to query my AWS environment for a dump of the configuration, serialize it, and then be able to run the query again to see any relevant changes.

I have the group identifiers from:

    private List<String> getSecurityGroups(InstanceNetworkInterface netInt) {
    List<String> result = new Vector<String>();

    List<GroupIdentifier> groups = netInt.getGroups();
    for(GroupIdentifier gi : groups) {
        result.add(gi.getGroupName());
    }

    return result;
}
Solution

  • You can get the security group list with describeSecurityGroup on an AmazonEC2 client object (whose instance is called ec2 in my example).

    public List<SecurityGroup> findAllSecurityGroups() {
    DescribeSecurityGroupsRequest securityRequest = new DescribeSecurityGroupsRequest();
    DescribeSecurityGroupsResult securityDescription = ec2.describeSecurityGroups(securityRequest);
    return securityDescription.getSecurityGroups();
}

    Once you've a securityGroup, you can call securityGroup.getIpPermissions(), which gives you a List<IpPermission>.

    You can check the Javadoc for details, in particular about IpPermission.

    To give you an idea, a toString() representation of the IpPermission rule allowing a server to be contacted on port 80 by any IP, is the following:

    {IpProtocol: tcp, FromPort: 80, ToPort: 80, IpRanges: [0.0.0.0/0], }

    If you're interested only in a particular security group, you can use:

    public SecurityGroup findOneSecurityGroupByName(String securityGroupName) {
    DescribeSecurityGroupsRequest securityRequest = new DescribeSecurityGroupsRequest();
    securityRequest.setGroupNames(Arrays.asList(securityGroupName));
    DescribeSecurityGroupsResult securityDescription = ec2.describeSecurityGroups(securityRequest);
    return securityDescription.getSecurityGroups().get(0);
}

    Some basic integration tests, that should work in any Amazon EC2 account.

    @Test
public void findsAllSecurityGroups() {
    assertThat(firewall.findAllSecurityGroups().size(), is(greaterThan(0)));
}

@Test
public void findsDefaultSecurityGroupByName() {
    SecurityGroup defaultGroup = firewall.findOneSecurityGroupByName("default");
    assertThat(defaultGroup.getGroupName(), is(equalTo("default")));
}

@Test(expected = AmazonServiceException.class)
public void throwsExceptionWhenfindingNonExistentSecurityGroup() {
    firewall.findOneSecurityGroupByName("inexistent");
}

    Where firewall is an instance of the class that contains findOneSecurityGroupByName and findsAllSecurityGroups.