02-11-2020 07:29 AM - last edited on 09-02-2020 11:02 AM by CHopson
I am sure someone has had this issue.
We want to get an alert if we allow access to all IP's on all ports. The policy is based on this example:
filter '$.X.state.name equals running and $.X.publicIpAddress exists and $.X.securityGroups[*].groupId contains $.Y.groupId and (($.Y.ipPermissions[*].ipRanges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[*].ipv6Ranges[*].cidrIpv6 contains ::/0) and $.Y.ipPermissions[*].ipProtocol equals -1)
The problem we have is with false positives. We have some EC2's with security groups that allow all external IP's to reach 443, and some rules allow only some other security groups to access all ports in another security group. So what we are looking for is a way for the blue and red criteria to be used to evaluate each security group rule individually, as opposed to firing if any ingress rule has "0.0.0.0" on the allowed IP's and another ingress rule has "-1" on the allowed protocols side.
We are having the discussions to dissuade people from using "-1" ever, which is really the best way to go, but for now we are just trying to focus on stopping the worst of behavior.
02-12-2020 08:15 AM
Solve my issue, here is the query that did it with a little extra:
config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.state.name equals running and $.X.publicIpAddress exists and $.X.securityGroups[*].groupId contains $.Y.groupId and (($.Y.ipPermissions[?(@.ipProtocol==-1)].ipRanges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[?(@.ipProtocol==-1)].ipv6Ranges[*].cidrIpv6 contains ::/0))' ; show X; addcolumn publicDnsName publicIpAddress
02-12-2020 08:15 AM
Solve my issue, here is the query that did it with a little extra:
config where api.name = 'aws-ec2-describe-instances' as X; config where api.name = 'aws-ec2-describe-security-groups' as Y; filter '$.X.state.name equals running and $.X.publicIpAddress exists and $.X.securityGroups[*].groupId contains $.Y.groupId and (($.Y.ipPermissions[?(@.ipProtocol==-1)].ipRanges[*] contains 0.0.0.0/0 or $.Y.ipPermissions[?(@.ipProtocol==-1)].ipv6Ranges[*].cidrIpv6 contains ::/0))' ; show X; addcolumn publicDnsName publicIpAddress
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
