aws.security-group

Filters

default-vpc

Filter that returns any security group that exists within the default vpc

example

policies:
  - name: security-group-default-vpc
    resource: security-group
    filters:
      - default-vpc
properties:
  type:
    enum:
    - default-vpc
required:
- type

diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - diff
required:
- type

egress

Filter for verifying security group ingress and egress permissions

All attributes of a security group permission are available as value filters.

If multiple attributes are specified the permission must satisfy all of them. Note that within an attribute match against a list value of a permission we default to or.

If a group has any permissions that match all conditions, then it matches the filter.

Permissions that match on the group are annotated onto the group and can subsequently be used by the remove-permission action.

We have specialized handling for matching Ports in ingress/egress permission From/To range. The following example matches on ingress rules which allow for a range that includes all of the given ports.

- type: ingress
  Ports: [22, 443, 80]

As well for verifying that a rule only allows for a specific set of ports as in the following example. The delta between this and the previous example is that if the permission allows for any ports not specified here, then the rule will match. ie. OnlyPorts is a negative assertion match, it matches when a permission includes ports outside of the specified set.

- type: ingress
  OnlyPorts: [22]

For simplifying ipranges handling which is specified as a list on a rule we provide a Cidr key which can be used as a value type filter evaluated against each of the rules. If any iprange cidr match then the permission matches.

- type: ingress
  IpProtocol: -1
  FromPort: 445

We also have specialized handling for matching self-references in ingress/egress permissions. The following example matches on ingress rules which allow traffic its own same security group.

- type: ingress
  SelfReference: True

As well for assertions that a ingress/egress permission only matches a given set of ports, note OnlyPorts is an inverse match.

- type: egress
  OnlyPorts: [22, 443, 80]

- type: egress
  Cidr:
    value_type: cidr
    op: in
    value: x.y.z

Cidr can match ipv4 rules and CidrV6 can match ipv6 rules. In this example we are blocking global inbound connections to SSH or RDP.

- type: ingress
  Ports: [22, 3389]
  Cidr:
    value:
      - "0.0.0.0/0"
      - "::/0"
    op: in
properties:
  Cidr: {}
  CidrV6: {}
  Description: {}
  FromPort:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: integer
  IpProtocol:
    enum:
    - '-1'
    - -1
    - tcp
    - udp
    - icmp
    - icmpv6
  IpRanges: {}
  OnlyPorts:
    items:
      type: integer
    type: array
  Ports:
    items:
      type: integer
    type: array
  PrefixListIds: {}
  SelfReference:
    type: boolean
  ToPort:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: integer
  UserIdGroupPairs: {}
  match-operator:
    enum:
    - or
    - and
    type: string
  type:
    enum:
    - egress
required:
- type

ingress

Filter for verifying security group ingress and egress permissions

All attributes of a security group permission are available as value filters.

If multiple attributes are specified the permission must satisfy all of them. Note that within an attribute match against a list value of a permission we default to or.

If a group has any permissions that match all conditions, then it matches the filter.

Permissions that match on the group are annotated onto the group and can subsequently be used by the remove-permission action.

We have specialized handling for matching Ports in ingress/egress permission From/To range. The following example matches on ingress rules which allow for a range that includes all of the given ports.

- type: ingress
  Ports: [22, 443, 80]

As well for verifying that a rule only allows for a specific set of ports as in the following example. The delta between this and the previous example is that if the permission allows for any ports not specified here, then the rule will match. ie. OnlyPorts is a negative assertion match, it matches when a permission includes ports outside of the specified set.

- type: ingress
  OnlyPorts: [22]

For simplifying ipranges handling which is specified as a list on a rule we provide a Cidr key which can be used as a value type filter evaluated against each of the rules. If any iprange cidr match then the permission matches.

- type: ingress
  IpProtocol: -1
  FromPort: 445

We also have specialized handling for matching self-references in ingress/egress permissions. The following example matches on ingress rules which allow traffic its own same security group.

- type: ingress
  SelfReference: True

As well for assertions that a ingress/egress permission only matches a given set of ports, note OnlyPorts is an inverse match.

- type: egress
  OnlyPorts: [22, 443, 80]

- type: egress
  Cidr:
    value_type: cidr
    op: in
    value: x.y.z

Cidr can match ipv4 rules and CidrV6 can match ipv6 rules. In this example we are blocking global inbound connections to SSH or RDP.

- type: ingress
  Ports: [22, 3389]
  Cidr:
    value:
      - "0.0.0.0/0"
      - "::/0"
    op: in
properties:
  Cidr: {}
  CidrV6: {}
  Description: {}
  FromPort:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: integer
  IpProtocol:
    enum:
    - '-1'
    - -1
    - tcp
    - udp
    - icmp
    - icmpv6
  IpRanges: {}
  OnlyPorts:
    items:
      type: integer
    type: array
  Ports:
    items:
      type: integer
    type: array
  PrefixListIds: {}
  SelfReference:
    type: boolean
  ToPort:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: integer
  UserIdGroupPairs: {}
  match-operator:
    enum:
    - or
    - and
    type: string
  type:
    enum:
    - ingress
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

stale

Filter to find security groups that contain stale references to other groups that are either no longer present or traverse a broken vpc peering connection. Note this applies to VPC Security groups only and will implicitly filter security groups.

AWS Docs:

https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

example

policies:
  - name: stale-security-groups
    resource: security-group
    filters:
      - stale
properties:
  type:
    enum:
    - stale
required:
- type

unused

Filter to just vpc security groups that are not used.

We scan all extant enis in the vpc to get a baseline set of groups in use. Then augment with those referenced by launch configs, and lambdas as they may not have extant resources in the vpc at a given moment. We also find any security group with references from other security group either within the vpc or across peered connections.

Note this filter does not support classic security groups atm.

example

policies:
  - name: security-groups-unused
    resource: security-group
    filters:
      - unused
properties:
  type:
    enum:
    - unused
required:
- type

used

Filter to security groups that are used.

This operates as a complement to the unused filter for multi-step workflows.

example

policies:
  - name: security-groups-in-use
    resource: security-group
    filters:
      - used
properties:
  type:
    enum:
    - used
required:
- type

Actions

delete

Action to delete security group(s)

It is recommended to apply a filter to the delete policy to avoid the deletion of all security groups returned.

example

policies:
  - name: security-groups-unused-delete
    resource: security-group
    filters:
      - type: unused
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

patch

Modify a resource via application of a reverse delta.

properties:
  type:
    enum:
    - patch
required:
- type

remove-permissions

Action to remove ingress/egress rule(s) from a security group

example

policies:
  - name: security-group-revoke-8080
    resource: security-group
    filters:
      - type: ingress
        IpProtocol: tcp
        Ports: [8080]
    actions:
      - type: remove-permissions
        ingress: matched
properties:
  egress:
    enum:
    - matched
    - all
    type: string
  ingress:
    enum:
    - matched
    - all
    type: string
  type:
    enum:
    - remove-permissions
required:
- type