https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-for-evaluating-aws-security-groups-rule-by-rule/m-p/310838#M222 <P>Solve my issue, here is the query that did it with a little extra:</P><P>&nbsp;</P><P>config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.state.name equals running and $.X.publicIpAddress exists and $.X.securityGroups[*].groupId contains $.Y.groupId and (($.Y.ipPermissions[?(@.ipProtocol==-1)].ipRanges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[?(@.ipProtocol==-1)].ipv6Ranges[*].cidrIpv6 contains ::/0))' ; show X; addcolumn publicDnsName publicIpAddress</P> Wed, 12 Feb 2020 16:15:56 GMT AHershey 2020-02-12T16:15:56Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-for-evaluating-aws-security-groups-rule-by-rule/m-p/310616#M221 <P>I am sure someone has had this issue.&nbsp;&nbsp;</P><P>&nbsp;</P><P>We want to get an alert if we allow access to all IP's on all ports.&nbsp; The policy is based on this example:</P><P>filter '$.X.state.name equals running and $.X.publicIpAddress exists and $.X.securityGroups[*].groupId contains $.Y.groupId and ((<FONT color="#0000FF">$.Y.ipPermissions[*].ipRanges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[*].ipv6Ranges[*].cidrIpv6 contains ::/0</FONT>) and <FONT color="#FF0000">$.Y.ipPermissions[*].ipProtocol equals -1</FONT>)</P><P>&nbsp;</P><P>The problem we have is with false positives.&nbsp; We have some EC2's with security groups that allow all external IP's to reach 443, and some rules allow only some other security groups to access all ports in another security group.&nbsp; So what we are looking for is a way for the blue and red criteria to be used to evaluate each security group rule individually, as opposed to firing if any ingress rule has "0.0.0.0" on the allowed IP's and another ingress rule has "-1"&nbsp; on the allowed protocols side.</P><P>&nbsp;</P><P>We are having the discussions to dissuade people from using "-1" ever, which is really the best way to go, but for now we are just trying to focus on stopping the worst of behavior.</P> Wed, 02 Sep 2020 18:02:19 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-for-evaluating-aws-security-groups-rule-by-rule/m-p/310616#M221 AHershey 2020-09-02T18:02:19Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-for-evaluating-aws-security-groups-rule-by-rule/m-p/310838#M222 <P>Solve my issue, here is the query that did it with a little extra:</P><P>&nbsp;</P><P>config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.state.name equals running and $.X.publicIpAddress exists and $.X.securityGroups[*].groupId contains $.Y.groupId and (($.Y.ipPermissions[?(@.ipProtocol==-1)].ipRanges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[?(@.ipProtocol==-1)].ipv6Ranges[*].cidrIpv6 contains ::/0))' ; show X; addcolumn publicDnsName publicIpAddress</P> Wed, 12 Feb 2020 16:15:56 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/rql-query-for-evaluating-aws-security-groups-rule-by-rule/m-p/310838#M222 AHershey 2020-02-12T16:15:56Z