<

Powershell script for AWS security group for Active Directory use

Published on
3,161 Points
161 Views
Last Modified:
Editors:
I had to put together a security group that conformed to Microsoft's requirements for Active Directory domain server use between an EC2 instance on AWS and domain servers in our private WAN. I was surprised there was no script for this and decided to put one together.

Per Microsoft's latest guidance there are a fair number of entries you will need to make when configuring Amazon Web Services Security Groups when you are putting up a Domain Controller on their cloud. I took Amazon's example for using Powershell to programmatically add entries to a Security group and wound up with a script that will build it. 


In my case we have multiple 192.168 subnets in our WAN; you will want to search and replace the IPRange to fit your situation. You may also wish to modify the group name. You MUST replace "YOUR VPC ID" with your VPC id and you MAY replace the GroupName with whatever you prefer. Note this is only for 2012 or later Forests/Domains. Earlier versions will need to change the last two entries to 1025-5000.


The first line creates a new group and stores the ID in a variable.


The second line creates an IPPermission object.


The third line populates the IPPermission object with the Protocol, Port start and end numbers, and IPRange.


The fourth line shows the object being consumed by the Grant-EC2Security command.


Subsequently the IPPermission object is edited as necessary and then consumed. My testing shows that putting in the object name to display its contents is useful in preventing timeouts that result in the port not being set.


The last line dumps out the results, which will also be visible in your Security Group page on AWS.


$groupid = New-EC2SecurityGroup -VpcId "vpc-3a974e5f" -GroupName "ADSec_12R2_169254_v2" -GroupDescription "Baseline ADIn Tunnel ranges"
$ip01 = new-object Amazon.EC2.Model.IpPermission 
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 25;$ip01.ToPort = 25;$ip01.IpRanges.Add("169.254.0.0/16"); 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 53;$ip01.ToPort = 53; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 53;$ip01.ToPort = 53; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 67;$ip01.ToPort = 67; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 88;$ip01.ToPort = 88; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 123;$ip01.ToPort = 123; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 135;$ip01.ToPort = 135; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 137;$ip01.ToPort = 137; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 138;$ip01.ToPort = 138; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 139;$ip01.ToPort = 139; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 389;$ip01.ToPort = 389; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 389;$ip01.ToPort = 389; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 445;$ip01.ToPort = 445; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 445;$ip01.ToPort = 445; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 464;$ip01.ToPort = 464; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 464;$ip01.ToPort = 464; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 636;$ip01.ToPort = 636; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 2535;$ip01.ToPort = 2535; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 3268;$ip01.ToPort = 3268; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 3269;$ip01.ToPort = 3269; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 5722;$ip01.ToPort = 5722; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 9389;$ip01.ToPort = 9389; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 49152;$ip01.ToPort = 65535; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 49152;$ip01.ToPort = 65535; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
Get-EC2SecurityGroup -GroupId $groupid

                      
                    
0
Author:F. X. Flinn
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free