Whitepaper 'FinOps and cost management for Kubernetes'
Please consider giving OptScale a Star on GitHub, it is 100% open source. It would increase its visibility to others and expedite product development. Thank you!
Ebook 'From FinOps to proven cloud cost management & optimization strategies'
OptScale FinOps
OptScale — FinOps
FinOps overview
Cost optimization:
AWS
MS Azure
Google Cloud
Alibaba Cloud
Kubernetes
MLOps
OptScale — MLOps
ML/AI Profiling
ML/AI Optimization
Big Data Profiling
OPTSCALE PRICING
cloud migration
Acura — Cloud migration
Overview
Database replatforming
Migration to:
AWS
MS Azure
Google Cloud
Alibaba Cloud
VMWare
OpenStack
KVM
Public Cloud
Migration from:
On-premise
disaster recovery
Acura — DR & cloud backup
Overview
Migration to:
AWS
MS Azure
Google Cloud
Alibaba Cloud
VMWare
OpenStack
KVM

How to find all AWS security groups which allow unrestricted traffic to avoid uncontrol access

Problem description

AWS security groups are aimed to filter the ingress/engress traffic to an EC2 instance. Security best practices require to ensure that AWS security groups constrain all public traffic and don’t allow unrestricted access (IP address with a /0 suffix) to reduce the possibility of cyberattacks, breaches and risks of data loss.

How to find all AWS security groups which allow unrestricted traffic

Our recommendations will help you find all security groups with unrestricted access (i.e. 0.0.0.0/0) to your EC2 instances using AWS CLI. As a result you’ll get a list of security groups with rules allowing unrestricted access, which helps you take essential actions from a security side and allow authorized from only known hosts.

Recommendations

Step 1

If we want to find all SGs we should go over all available regions.
AWS cli command:

aws ec2 describe-regions --query "Regions[].RegionName" --output text

Step 2

For every available region we should go over all target ports (22 and 3389 in our case) and find all security groups with these ports that are allowed from zero-addresses cidr i.e. 0.0.0.0/0 for ipv4 and ::/0 for ipv6
AWS cli command:

aws ec2 describe-security-groups --region "$region" --filters Name=ip-permission.from-port,Values=$port Name=ip-permission.to-port,Values=$port --query 'SecurityGroups[?((IpPermissions.IpRanges.CidrIp == "0.0.0.0/0") || (IpPermissions.Ipv6Ranges.CidrIpv6 == "::/0"))].[GroupId]' --output text

Free cloud cost optimization. Lifetime

Note 1

Inbound rules for security groups allow to specify port ranges like [20, 25]. Unfortunately AWS cli doesn’t allow comparison for server side filtering. In this case consider using something more powerfull than AWS cli.

Note 2

AWS cli has a pagination mechanism for large amounts of data in output. If you have many SGs in a region, the provided script will process only the first page. Consider using something more powerful than AWS cli.

As a result one line command:

for region in $(aws ec2 describe-regions --query "Regions[].RegionName" --output text); do for port in 22 3389; do for groupId in $(aws ec2 describe-security-groups --region "$region" --filters Name=ip-permission.from-port,Values=$port Name=ip-permission.to-port,Values=$port --query 'SecurityGroups[?((IpPermissions.IpRanges.CidrIp == "0.0.0.0/0") || (IpPermissions.Ipv6Ranges.CidrIpv6 == "::/0"))].[GroupId]' --output text); do echo "Region: $region Port: $port GroupId: $groupId"; done; done; done

Output example:

…

Region: ap-south-1 Port: 3389 GroupId: sg-040f94474611b14fb

Region: ap-south-1 Port: 3389 GroupId: sg-0a79acb4f95e1ce90

Region: eu-west-3 Port: 22 GroupId: sg-0e88381b1b9c5c6b4

…

👆🏻 The security best practice is to remove passwords to the AWS Management Console when users leave your organization, no longer need them or just use access keys (a combination of an access key ID and a secret access key) to access to AWS account.
✔️ Find the best way to find inactive IAM users with AWS management console access to avoid security issues  → https://hystax.com/the-best-way-to-find-inactive-iam-users-with-aws-management-console-access-to-avoid-security-issues

Enter your email to be notified about new and relevant content.

Thank you for joining us!

We hope you'll find it usefull

You can unsubscribe from these communications at any time. Privacy Policy

News & Reports

FinOps and MLOps

A full description of OptScale as a FinOps and MLOps open source platform to optimize cloud workload performance and infrastructure cost. Cloud cost optimization, VM rightsizing, PaaS instrumentation, S3 duplicate finder, RI/SP usage, anomaly detection, + AI developer tools for optimal cloud utilization.

FinOps, cloud cost optimization and security

Discover our best practices: 

  • How to release Elastic IPs on Amazon EC2
  • Detect incorrectly stopped MS Azure VMs
  • Reduce your AWS bill by eliminating orphaned and unused disk snapshots
  • And much more deep insights

Optimize RI/SP usage for ML/AI teams with OptScale

Find out how to:

  • see RI/SP coverage
  • get recommendations for optimal RI/SP usage
  • enhance RI/SP utilization by ML/AI teams with OptScale