02-25-2024 10:43 PM
Reference: https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html
RQL that is not working: config from cloud.resource where cloud.type = 'aws' AND api.name = 'describe-security-groups' AND json.rule = "IpPermissionsEgress[IpRanges[?any (CidrIp equals 0.0.0.0/0)]]"
Does not seems to be right. Need RQL expert here! Thanks
02-26-2024 12:21 AM
Somehow figure out something like this and so far no error.
config from cloud.resource where api.name = 'aws-ec2-describe-security-groups' and json.rule = (($.ipPermissions[?(@.ipProtocol==-1)].ipRanges[*] contains 0.0.0.0/0 or $.ipPermissions[?(@.ipProtocol==-1)].ipv6Ranges[*].cidrIpv6 contains ::/0))
02-28-2024 01:34 PM
That works. Or a more simplified version of the query to only look for ipv4 outbound to 0.0.0.0/0 could be:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = '((ipPermissionsEgress[*] equals 0.0.0.0/0))'
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
