aws.security-group

Filters

• config-compliance

• default-vpc

• diff

• egress

• event

• finding

• ingress

• json-diff

• list-item

• marked-for-op

• ops-item

• reduce

• stale

• tag-count

• unused

• used

• value

default-vpc

Filter that returns any security group that exists within the default vpc

example:

policies:
  - name: security-group-default-vpc
    resource: security-group
    filters:
      - default-vpc

properties:
  type:
    enum:
    - default-vpc
required:
- type

Permissions - ec2:DescribeVpcs

diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - diff
required:
- type

Permissions - config:GetResourceConfigHistory

egress

Filter for verifying security group ingress and egress permissions

All attributes of a security group permission are available as value filters.

If multiple attributes are specified the permission must satisfy all of them. Note that within an attribute match against a list value of a permission we default to or.

If a group has any permissions that match all conditions, then it matches the filter.

Permissions that match on the group are annotated onto the group and can subsequently be used by the remove-permission action.

We have specialized handling for matching Ports in ingress/egress permission From/To range. The following example matches on ingress rules which allow for a range that includes all of the given ports.

- type: ingress
  Ports: [22, 443, 80]

As well for verifying that a rule only allows for a specific set of ports as in the following example. The delta between this and the previous example is that if the permission allows for any ports not specified here, then the rule will match. ie. OnlyPorts is a negative assertion match, it matches when a permission includes ports outside of the specified set.

- type: ingress
  OnlyPorts: [22]

For simplifying ipranges handling which is specified as a list on a rule we provide a Cidr key which can be used as a value type filter evaluated against each of the rules. If any iprange cidr match then the permission matches.

- type: ingress
  IpProtocol: -1
  FromPort: 445

We also have specialized handling for matching self-references in ingress/egress permissions. The following example matches on ingress rules which allow traffic its own same security group.

- type: ingress
  SelfReference: True

As well for assertions that a ingress/egress permission only matches a given set of ports, note OnlyPorts is an inverse match.

- type: egress
  OnlyPorts: [22, 443, 80]

- type: egress
  Cidr:
    value_type: cidr
    op: in
    value: x.y.z

value_type: cidr can also filter if cidr is a subset of cidr value range. In this example we are allowing any smaller cidrs within allowed_cidrs.csv.

- type: ingress
  Cidr:
    value_type: cidr
    op: not-in
    value_from:
      url: s3://a-policy-data-us-west-2/allowed_cidrs.csv
      format: csv

or value can be specified as a list.

- type: ingress
  Cidr:
    value_type: cidr
    op: not-in
    value: ["10.0.0.0/8", "192.168.0.0/16"]

Cidr can match ipv4 rules and CidrV6 can match ipv6 rules. In this example we are blocking global inbound connections to SSH or RDP.

- or:
  - type: ingress
    Ports: [22, 3389]
    Cidr:
      value: "0.0.0.0/0"
  - type: ingress
    Ports: [22, 3389]
    CidrV6:
      value: "::/0"

SGReferences can be used to filter out SG references in rules. In this example we want to block ingress rules that reference a SG that is tagged with Access: Public.

- type: ingress
  SGReferences:
    key: "tag:Access"
    value: "Public"
    op: equal

We can also filter SG references based on the VPC that they are within. In this example we want to ensure that our outbound rules that reference SGs are only referencing security groups within a specified VPC.

- type: egress
  SGReferences:
    key: 'VpcId'
    value: 'vpc-11a1a1aa'
    op: equal

Likewise, we can also filter SG references by their description. For example, we can prevent egress rules from referencing any SGs that have a description of “default - DO NOT USE”.

- type: egress
  SGReferences:
    key: 'Description'
    value: 'default - DO NOT USE'
    op: equal

By default, this filter matches a security group rule if _all_ of its keys match. Using match-operator: or causes a match if _any_ key matches. This can help consolidate some simple cases that would otherwise require multiple filters. To find security groups that allow all inbound traffic over IPv4 or IPv6, for example, we can use two filters inside an or block:

- or:
  - type: ingress
    Cidr: "0.0.0.0/0"
  - type: ingress
    CidrV6: "::/0"

or combine them into a single filter:

- type: ingress
  match-operator: or
    Cidr: "0.0.0.0/0"
    CidrV6: "::/0"

Note that evaluating _combinations_ of factors (e.g. traffic over port 22 from 0.0.0.0/0) still requires separate filters.

properties:
  Cidr: {}
  CidrV6: {}
  Description: {}
  FromPort:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: integer
  IpProtocol:
    oneOf:
    - enum:
      - '-1'
      - -1
      - tcp
      - udp
      - icmp
      - icmpv6
    - $ref: '#/definitions/filters/value'
  IpRanges: {}
  OnlyPorts:
    items:
      type: integer
    type: array
  Ports:
    items:
      type: integer
    type: array
  PrefixListIds: {}
  SGReferences: {}
  SelfReference:
    type: boolean
  ToPort:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: integer
  UserIdGroupPairs: {}
  match-operator:
    enum:
    - or
    - and
    type: string
  type:
    enum:
    - egress
required:
- type

ingress

Filter for verifying security group ingress and egress permissions

All attributes of a security group permission are available as value filters.

If multiple attributes are specified the permission must satisfy all of them. Note that within an attribute match against a list value of a permission we default to or.

If a group has any permissions that match all conditions, then it matches the filter.

Permissions that match on the group are annotated onto the group and can subsequently be used by the remove-permission action.

We have specialized handling for matching Ports in ingress/egress permission From/To range. The following example matches on ingress rules which allow for a range that includes all of the given ports.

- type: ingress
  Ports: [22, 443, 80]

As well for verifying that a rule only allows for a specific set of ports as in the following example. The delta between this and the previous example is that if the permission allows for any ports not specified here, then the rule will match. ie. OnlyPorts is a negative assertion match, it matches when a permission includes ports outside of the specified set.

- type: ingress
  OnlyPorts: [22]

For simplifying ipranges handling which is specified as a list on a rule we provide a Cidr key which can be used as a value type filter evaluated against each of the rules. If any iprange cidr match then the permission matches.

- type: ingress
  IpProtocol: -1
  FromPort: 445

We also have specialized handling for matching self-references in ingress/egress permissions. The following example matches on ingress rules which allow traffic its own same security group.

- type: ingress
  SelfReference: True

As well for assertions that a ingress/egress permission only matches a given set of ports, note OnlyPorts is an inverse match.

- type: egress
  OnlyPorts: [22, 443, 80]

- type: egress
  Cidr:
    value_type: cidr
    op: in
    value: x.y.z

value_type: cidr can also filter if cidr is a subset of cidr value range. In this example we are allowing any smaller cidrs within allowed_cidrs.csv.

- type: ingress
  Cidr:
    value_type: cidr
    op: not-in
    value_from:
      url: s3://a-policy-data-us-west-2/allowed_cidrs.csv
      format: csv

or value can be specified as a list.

- type: ingress
  Cidr:
    value_type: cidr
    op: not-in
    value: ["10.0.0.0/8", "192.168.0.0/16"]

Cidr can match ipv4 rules and CidrV6 can match ipv6 rules. In this example we are blocking global inbound connections to SSH or RDP.

- or:
  - type: ingress
    Ports: [22, 3389]
    Cidr:
      value: "0.0.0.0/0"
  - type: ingress
    Ports: [22, 3389]
    CidrV6:
      value: "::/0"

SGReferences can be used to filter out SG references in rules. In this example we want to block ingress rules that reference a SG that is tagged with Access: Public.

- type: ingress
  SGReferences:
    key: "tag:Access"
    value: "Public"
    op: equal

We can also filter SG references based on the VPC that they are within. In this example we want to ensure that our outbound rules that reference SGs are only referencing security groups within a specified VPC.

- type: egress
  SGReferences:
    key: 'VpcId'
    value: 'vpc-11a1a1aa'
    op: equal

Likewise, we can also filter SG references by their description. For example, we can prevent egress rules from referencing any SGs that have a description of “default - DO NOT USE”.

- type: egress
  SGReferences:
    key: 'Description'
    value: 'default - DO NOT USE'
    op: equal

By default, this filter matches a security group rule if _all_ of its keys match. Using match-operator: or causes a match if _any_ key matches. This can help consolidate some simple cases that would otherwise require multiple filters. To find security groups that allow all inbound traffic over IPv4 or IPv6, for example, we can use two filters inside an or block:

- or:
  - type: ingress
    Cidr: "0.0.0.0/0"
  - type: ingress
    CidrV6: "::/0"

or combine them into a single filter:

- type: ingress
  match-operator: or
    Cidr: "0.0.0.0/0"
    CidrV6: "::/0"

Note that evaluating _combinations_ of factors (e.g. traffic over port 22 from 0.0.0.0/0) still requires separate filters.

properties:
  Cidr: {}
  CidrV6: {}
  Description: {}
  FromPort:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: integer
  IpProtocol:
    oneOf:
    - enum:
      - '-1'
      - -1
      - tcp
      - udp
      - icmp
      - icmpv6
    - $ref: '#/definitions/filters/value'
  IpRanges: {}
  OnlyPorts:
    items:
      type: integer
    type: array
  Ports:
    items:
      type: integer
    type: array
  PrefixListIds: {}
  SGReferences: {}
  SelfReference:
    type: boolean
  ToPort:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: integer
  UserIdGroupPairs: {}
  match-operator:
    enum:
    - or
    - and
    type: string
  type:
    enum:
    - ingress
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

stale

Filter to find security groups that contain stale references to other groups that are either no longer present or traverse a broken vpc peering connection. Note this applies to VPC Security groups only and will implicitly filter security groups.

AWS Docs:

https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

example:

policies:
  - name: stale-security-groups
    resource: security-group
    filters:
      - stale

properties:
  type:
    enum:
    - stale
required:
- type

Permissions - ec2:DescribeStaleSecurityGroups

unused

Filter to just vpc security groups that are not used.

We scan all extant enis in the vpc to get a baseline set of groups in use. Then augment with those referenced by launch configs, and lambdas as they may not have extant resources in the vpc at a given moment. We also find any security group with references from other security group either within the vpc or across peered connections. Also checks cloud watch event targeting ecs.

Checks - enis, lambda, launch-configs, sg rule refs, and ecs cwe targets.

Note this filter does not support classic security groups atm.

example:

policies:
  - name: security-groups-unused
    resource: security-group
    filters:
      - unused

properties:
  type:
    enum:
    - unused
required:
- type

Permissions - lambda:ListFunctions, tag:GetResources, lambda:ListTags, ec2:DescribeNetworkInterfaces, autoscaling:DescribeLaunchConfigurations, ec2:DescribeSecurityGroups, events:ListTargetsByRule, batch:DescribeComputeEnvironments, tag:GetResources

used

Filter to security groups that are used. This operates as a complement to the unused filter for multi-step workflows.

example:

policies:
  - name: security-groups-in-use
    resource: security-group
    filters:
      - used

policies:
  - name: security-groups-used-by-rds
    resource: security-group
    filters:
      - used
      - type: value
        key: c7n:InstanceOwnerIds
        op: intersect
        value:
          - amazon-rds

policies:
  - name: security-groups-used-by-natgw
    resource: security-group
    filters:
      - used
      - type: value
        key: c7n:InterfaceTypes
        op: intersect
        value:
          - nat_gateway

policies:
  - name: security-groups-used-by-alb
    resource: security-group
    filters:
      - used
      - type: value
        key: c7n:InterfaceResourceTypes
        op: intersect
        value:
          - elb-app

properties:
  type:
    enum:
    - used
required:
- type

Permissions - lambda:ListFunctions, tag:GetResources, lambda:ListTags, ec2:DescribeNetworkInterfaces, autoscaling:DescribeLaunchConfigurations, ec2:DescribeSecurityGroups, events:ListTargetsByRule, batch:DescribeComputeEnvironments, tag:GetResources

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• normalize-tag

• notify

• patch

• post-finding

• post-item

• put-metric

• remove-permissions

• remove-tag

• rename-tag

• set-permissions

• tag

• tag-trim

• webhook

delete

Action to delete security group(s)

It is recommended to apply a filter to the delete policy to avoid the deletion of all security groups returned.

example:

policies:
  - name: security-groups-unused-delete
    resource: security-group
    filters:
      - type: unused
    actions:
      - delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - ec2:DeleteSecurityGroup

patch

Modify a resource via application of a reverse delta.

properties:
  type:
    enum:
    - patch
required:
- type

Permissions - ec2:AuthorizeSecurityGroupIngress, ec2:AuthorizeSecurityGroupEgress, ec2:RevokeSecurityGroupIngress, ec2:RevokeSecurityGroupEgress, ec2:CreateTags, ec2:DeleteTags

remove-permissions

Action to remove ingress/egress rule(s) from a security group

example:

policies:
  - name: security-group-revoke-8080
    resource: security-group
    filters:
      - type: ingress
        IpProtocol: tcp
        Ports: [8080]
    actions:
      - type: remove-permissions
        ingress: matched

properties:
  egress:
    enum:
    - matched
    - all
    type: string
  ingress:
    enum:
    - matched
    - all
    type: string
  type:
    enum:
    - remove-permissions
required:
- type

Permissions - ec2:RevokeSecurityGroupIngress, ec2:RevokeSecurityGroupEgress

set-permissions

Action to add/remove ingress/egress rule(s) to a security group

example:

policies:
  - name: ops-access-via
    resource: aws.security-group
    filters:
      - type: ingress
        IpProtocol: "-1"
        Ports: [22, 3389]
        Cidr: "0.0.0.0/0"
    actions:
     - type: set-permissions
       # remove the permission matched by a previous ingress filter.
       remove-ingress: matched
       # remove permissions by specifying them fully, ie remove default outbound
       # access.
       remove-egress:
          - IpProtocol: "-1"
            Cidr: "0.0.0.0/0"

       # add a list of permissions to the group.
       add-ingress:
         # full syntax/parameters to authorize can be used.
         - IpPermissions:
            - IpProtocol: TCP
              FromPort: 22
              ToPort: 22
              IpRanges:
                - Description: Ops SSH Access
                  CidrIp: "1.1.1.1/32"
                - Description: Security SSH Access
                  CidrIp: "2.2.2.2/32"
       # add a list of egress permissions to a security group
       add-egress:
          - IpProtocol: "TCP"
            FromPort: 5044
            ToPort: 5044
            CidrIp: "192.168.1.2/32"

properties:
  add-egress:
    items:
      minProperties: 1
      type: object
    type: array
  add-ingress:
    items:
      minProperties: 1
      type: object
    type: array
  remove-egress:
    oneOf:
    - enum:
      - all
      - matched
    - items:
        minProperties: 2
        type: object
      type: array
  remove-ingress:
    oneOf:
    - enum:
      - all
      - matched
    - items:
        minProperties: 2
        type: object
      type: array
  type:
    enum:
    - set-permissions
required:
- type

Permissions - ec2:AuthorizeSecurityGroupEgress, ec2:AuthorizeSecurityGroupIngress