Automating Security Groups Updates on Alibaba Cloud

By John Hanley, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

When you create an Alibaba Cloud Elastic Compute Service (ECS) instance, you also create or specify a security group. This security group acts as a firewall controlling what can access your ECS instance. For Linux instances, one of the rules allows SSH (TCP port 22) access. Best practices require that you only allow SSH access from TCP/IP addresses that you control. By only allowing your TCP/IP addresses through the security group (firewall) you reduce the exposure footprint of your ECS instance.

Creating a security group rule for SSH is very easy on the Alibaba Cloud Console. However, keeping that rule up to date with your current TCP/IP address can be a pain. First you must figure out what your public TCP/IP address is, login to the Alibaba Cloud Console, find your security group and then modify the security group with a new rule for your public IP address and finally delete the old rule.

Alibaba Cloud has APIs and SDKs to programmatically create, modify and delete rules in security groups. This article will demonstrate how to use the Alibaba SDK to automatically update your security group with your public TCP/IP address. You can then run the program manually from the command prompt, or automatically via a task scheduler. This article will show how to use Windows Task Scheduler to setup a recurring task to always keep your security group up to date with your public TCP/IP address.

How Does This Program Work?

The program saves the current TCP/IP address in a file named “last_ip.txt”. The next time you run the program, it checks if the current TCP/IP address is the same as the last time. If true, then no changes are made to the security group. If the addresses are different, then a new rule is created and the rule for the last address is deleted. This keeps your security group current without old entries polluting the security group.

This program can also support Windows ECS instances. Just change the port number in the source code to support Remote Desktop (RDP).

Your public TCP/IP address is determined by going to NeoPrime’s web server and accessing the URL The source code for getmyip.php is included in the download. This URL simply returns your public TCP/IP address when you access the page. You can use any public server that returns your public TCP/IP address as simple text without HTML markup.


Download the source code for this program by clicking on this link: Source Code (Zip — 3 KB)

Last Update: June 28, 2018

Requirements: Python 3.6 or newer (Python 2 is not supported)

Platforms: Tested on Windows 10

Note: Antivirus software will complain about this download because it is a zip file with Python source code.

Resource Access Management

This program will require permissions to modify security groups. Security best practices recommend only providing the minimum permissions required. Let’s follow that recommendation. This program requires the ability to describe security group rules (DescribeSecurityGroupAttribute), create security group rules (AuthorizeSecurityGroup) and delete security group rules (RevokeSecurityGroup) and for good measure the ability to list security groups (DescribeSecurityGroups).

The following policy describes the required permissions in JSON. Later in this article we will use this JSON when we create a custom policy.

Download the JSON policy file by clicking on this link: Download policy.json

Tighter Security Policy

You may desire finer grained control over your security groups. For example, let’s say that you have five people in your DevOps teams with each person responsible for a different set of servers / services. You could create different security groups for each user’s resources and then assign resource level permissions to control who can modify which security groups. The following policy specifies which security group can be modified. Then create different policies assigned to different users. Now, User-A cannot accidentally modify User-B’s security groups.

Create Custom Policy

In this part we will use the Alibaba Cloud Console to create a custom policy that only has the permissions that we required to manage security groups.

Create Custom Policy:

  • Go to the Alibaba Resource Access Management (RAM) Console
  • Click on “Policies”
  • Click the tab “Custom Policy”
  • Click the blue “Create Authorization Policy” button
  • Click “Blank Template”
  • Enter an Authorization Policy Name: ManageSecurityGroupRules
  • Enter a Description: Manage security group rules
  • Replace the Policy Content with the JSON from above
  • Click “Create Authorization Policy”

Create User

In this part we will use the Alibaba Console to create a new user and assign the custom policy to this user.

  • Go to the Alibaba Resource Access Management (RAM) Console
  • Click on “Users”
  • Click the blue “Create User” button
  • Enter a User Name: sg_auth
  • Enter a Display Name: sg_auth
  • Enter a Description: Permissions for the program to manage security group rules.
  • Click the radio button “Automatically generate an Access key for this user.
  • Save the Access Key Information. This will be needed later.
  • The console now displays a list of users. Located the user that we just created. Click “Authorize”.
  • In the search dialog, enter the first few characters of the policy that we created: “ManageSec”
  • Click on ManageSecurityGroupRules
  • Click the right arrow to move the policy to the selected column.
  • Click OK

Create User Credentials Profile

In this part we will create a new profile using the Alibaba Cloud CLI with the user’s access key and secret key. We will also specify the default region and output format.

Program Execution

To execute the example python program, open a command prompt and execute the program as follows:

Note: You can modify the python source code to specify the profile name to use by default.

Program Source Code


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store