A solution we used was to add a custom script to run in the beginning that gets the public ip address of the current box and calls the AWS CLI to add an inbound security rule on the fly. Then we do the opposite and remove that rule at the end of the script. Here’s the sample code:
To Remove the Old Values
this removes all existing rules - adjust if you need to keep some
current_security_group=$(aws ec2 describe-security-groups --region us-west-2 --group-id sg-e747959f)
ip_count=$(echo ${current_security_group} | jq -r '.SecurityGroups[0].IpPermissions | length')
if [ ${ip_count} > 0 ]; then
for (( n=0; n < $ip_count; n++ ))
do
this_port=$(echo ${current_security_group} | jq -r ".SecurityGroups[0].IpPermissions[${n}].FromPort")
cidr_count=$(echo ${current_security_group} | jq -r ".SecurityGroups[0].IpPermissions[${n}].IpRanges | length")
for (( c=0; c < $cidr_count; c++ ))
do
this_cidr=$(echo ${current_security_group} | jq -r ".SecurityGroups[0].IpPermissions[${n}].IpRanges[${c}].CidrIp")
aws ec2 revoke-security-group-ingress --region us-west-2 --group-id sg-e747959f --protocol tcp --port ${this_port} --cidr ${this_cidr}
done
done
fi
To Add the Current Public IP Address
ip-permissions is an array so add more ports as needed
public_ip_address=$(wget -qO- http://checkip.amazonaws.com)
echo "this computers public ip address is $public_ip_address"
aws ec2 authorize-security-group-ingress --region <YOUR_REGION> --group-id <YOUR_SECURITY_GROUP_ID> --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": <YOUR_PORT_YOU_NEED_OPEN>, \"ToPort\": <YOUR_PORT_YOU_NEED_OPEN>, \"IpRanges\": [{\"CidrIp\": \"${public_ip_address}/32\"}]}]"