standard
turbot/aws_compliance

Trigger: Detect & correct default VPC security groups allowing ingress egress

Detect default Security group rules that allow both incoming and outgoing internet traffic and then skip or revoke the security group rule.

Query

with ingress_and_egress_rules as (
select
group_id,
security_group_rule_id,
ip_protocol,
from_port,
to_port,
coalesce(cidr_ipv4 :: text, '') as cidr_ipv4,
coalesce(cidr_ipv6 :: text, '') as cidr_ipv6,
region,
account_id,
is_egress,
sp_connection_name as conn
from
aws_vpc_security_group_rule
)
select
concat(sg.group_id, ' [', sg.account_id, '/', sg.region, ']') as title,
case
when ingress_and_egress_rules.is_egress then 'egress'
else 'ingress'
end as type,
sg.group_id as group_id,
ingress_and_egress_rules.security_group_rule_id as security_group_rule_id,
sg.region as region,
ingress_and_egress_rules.ip_protocol as ip_protocol,
ingress_and_egress_rules.from_port as from_port,
ingress_and_egress_rules.to_port as to_port,
ingress_and_egress_rules.cidr_ipv4 as cidr_ipv4,
ingress_and_egress_rules.cidr_ipv6 as cidr_ipv6,
sg.sp_connection_name as conn
from
aws_vpc_security_group as sg
left join ingress_and_egress_rules on ingress_and_egress_rules.group_id = sg.group_id
where
sg.group_name = 'default'
and ingress_and_egress_rules.group_id is not null;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/VPC