Ebook 'From FinOps to proven cloud cost management & optimization strategies'
Whitepaper 'FinOps and cost management for Kubernetes'

How to find all AWS security groups which allow unrestricted traffic to avoid uncontrol access

Share on linkedin
Share on twitter
Share on facebook

Problem description

AWS security groups are aimed to filter the ingress/engress traffic to an EC2 instance. Security best practices require to ensure that AWS security groups constrain all public traffic and don’t allow unrestricted access (IP address with a /0 suffix) to reduce the possibility of cyberattacks, breaches and risks of data loss.

How to find all AWS security groups which allow unrestricted traffic

Our recommendations will help you find all security groups with unrestricted access (i.e. 0.0.0.0/0) to your EC2 instances using AWS CLI. As a result you’ll get a list of security groups with rules allowing unrestricted access, which helps you take essential actions from a security side and allow authorized from only known hosts.

Recommendations

Step 1

If we want to find all SGs we should go over all available regions.
AWS cli command:

aws ec2 describe-regions --query "Regions[].RegionName" --output text

Step 2

For every available region we should go over all target ports (22 and 3389 in our case) and find all security groups with these ports that are allowed from zero-addresses cidr i.e. 0.0.0.0/0 for ipv4 and ::/0 for ipv6
AWS cli command:

aws ec2 describe-security-groups --region "$region" --filters Name=ip-permission.from-port,Values=$port Name=ip-permission.to-port,Values=$port --query 'SecurityGroups[?((IpPermissions.IpRanges.CidrIp == "0.0.0.0/0") || (IpPermissions.Ipv6Ranges.CidrIpv6 == "::/0"))].[GroupId]' --output text

Free cloud cost optimization. Lifetime

Note 1

Inbound rules for security groups allow to specify port ranges like [20, 25]. Unfortunatelly AWS cli doesn’t allow comparison for server side filtering. In this case consider using something more powerfull than AWS cli.

Note 2

AWS cli has a pagination mechanism for large amounts of data in output. If you have many SGs in a region, the provided script will process only the first page. Consider using something more powerful than AWS cli.

As a result one line command:

for region in $(aws ec2 describe-regions --query "Regions[].RegionName" --output text); do for port in 22 3389; do for groupId in $(aws ec2 describe-security-groups --region "$region" --filters Name=ip-permission.from-port,Values=$port Name=ip-permission.to-port,Values=$port --query 'SecurityGroups[?((IpPermissions.IpRanges.CidrIp == "0.0.0.0/0") || (IpPermissions.Ipv6Ranges.CidrIpv6 == "::/0"))].[GroupId]' --output text); do echo "Region: $region Port: $port GroupId: $groupId"; done; done; done

Output example:

…

Region: ap-south-1 Port: 3389 GroupId: sg-040f94474611b14fb

Region: ap-south-1 Port: 3389 GroupId: sg-0a79acb4f95e1ce90

Region: eu-west-3 Port: 22 GroupId: sg-0e88381b1b9c5c6b4

…

OptScale, a FinOps and cloud cost management platform, is available on cloud marketplaces

AWS-logo
azure
Alibaba Cloud marketplace
Digital-ocean

👆🏻 The security best practice is to remove passwords to the AWS Management Console when users leave your organization, no longer need them or just use access keys (a combination of an access key ID and a secret access key) to access to AWS account.
✔️ Find the best way to find inactive IAM users with AWS management console access to avoid security issues  → https://hystax.com/the-best-way-to-find-inactive-iam-users-with-aws-management-console-access-to-avoid-security-issues

Enter your email to be notified about new and relevant content.

Thank you for joining us!

We hope you'll find it usefull

You can unsubscribe from these communications at any time. Privacy Policy

News & Reports

FinOps & Test Environment Management

A full description of OptScale as a FinOps and Test Environment Management platform to organize shared IT environment usage, optimize & forecast Kubernetes and cloud costs

From FinOps to proven cloud cost management & optimization strategies

This ebook covers the implementation of basic FinOps principles to shed light on alternative ways of conducting cloud cost optimization

Engage your engineers in FinOps and cloud cost saving

Discover how OptScale helps companies quickly increase FinOps adoption by engaging engineers in FinOps enablement and cloud cost savings