Triggered by an AWS SNS notification that their IP blocks have been updated, this function will automatically update your Security Groups with specific tags.
In order to create the SNS subscription this function needs to be deployed to us-east-1.
The serverless application Repository only supports a subset of permissions. Currently it does not support the Security Group Permissions this function needs. Once the function is deployed you will need to update the Lambda execution role created with the following inline policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "arn:aws:ec2:[region]:[account-id]:security-group/*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeSecurityGroups",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*"
}
]
}Tag your security groups you want updated with the following.
- Name: cloudfront_g and AutoUpdate: true and a Protocol tag with value http or https.
- Name: cloudfront_r and AutoUpdate: true and a Protocol tag with value http or https.
- Jeff Finley - Initial work - FiveTalent
This project is licensed under the MIT License - see the LICENSE.md file for details
- Lambda function borrowed from aws-cloudfront-samples and modified slightly
- Inspired by this blog post.
Made with ❤️ by Five Talent. Available on the AWS Serverless Application Repository