Powershell script for AWS security group for Active Directory use

F. X. FlinnSenior Consultant / Founder
Published:
Updated:
Edited by: Andrew Leniart
Browse All Articles > Powershell script for AWS security group for Active Directory use
I had to put together a security group that conformed to Microsoft's requirements for Active Directory domain server use between an EC2 instance on AWS and domain servers in our private WAN. I was surprised there was no script for this and decided to put one together.

Per Microsoft's latest guidance there are a fair number of entries you will need to make when configuring Amazon Web Services Security Groups when you are putting up a Domain Controller on their cloud. I took Amazon's example for using Powershell to programmatically add entries to a Security group and wound up with a script that will build it. 


In my case we have multiple 192.168 subnets in our WAN; you will want to search and replace the IPRange to fit your situation. You may also wish to modify the group name. You MUST replace "YOUR VPC ID" with your VPC id and you MAY replace the GroupName with whatever you prefer. Note this is only for 2012 or later Forests/Domains. Earlier versions will need to change the last two entries to 1025-5000.


The first line creates a new group and stores the ID in a variable.


The second line creates an IPPermission object.


The third line populates the IPPermission object with the Protocol, Port start and end numbers, and IPRange.


The fourth line shows the object being consumed by the Grant-EC2Security command.


Subsequently the IPPermission object is edited as necessary and then consumed. My testing shows that putting in the object name to display its contents is useful in preventing timeouts that result in the port not being set.


The last line dumps out the results, which will also be visible in your Security Group page on AWS.


$groupid = New-EC2SecurityGroup -VpcId "vpc-3a974e5f" -GroupName "ADSec_12R2_169254_v2" -GroupDescription "Baseline ADIn Tunnel ranges"
$ip01 = new-object Amazon.EC2.Model.IpPermission 
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 25;$ip01.ToPort = 25;$ip01.IpRanges.Add("169.254.0.0/16"); 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 53;$ip01.ToPort = 53; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 53;$ip01.ToPort = 53; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 67;$ip01.ToPort = 67; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 88;$ip01.ToPort = 88; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 123;$ip01.ToPort = 123; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 135;$ip01.ToPort = 135; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 137;$ip01.ToPort = 137; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 138;$ip01.ToPort = 138; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 139;$ip01.ToPort = 139; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 389;$ip01.ToPort = 389; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 389;$ip01.ToPort = 389; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 445;$ip01.ToPort = 445; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 445;$ip01.ToPort = 445; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 464;$ip01.ToPort = 464; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 464;$ip01.ToPort = 464; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 636;$ip01.ToPort = 636; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 2535;$ip01.ToPort = 2535; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 3268;$ip01.ToPort = 3268; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 3269;$ip01.ToPort = 3269; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 5722;$ip01.ToPort = 5722; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 9389;$ip01.ToPort = 9389; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'UDP';$ip01.FromPort = 49152;$ip01.ToPort = 65535; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
$ip01.IpProtocol = 'TCP';$ip01.FromPort = 49152;$ip01.ToPort = 65535; 
$ip01
Grant-EC2SecurityGroupIngress -GroupId $groupid -IpPermissions @( $ip01 )
Get-EC2SecurityGroup -GroupId $groupid
0
1,213 Views
F. X. FlinnSenior Consultant / Founder

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.