AMA: AWS security groups that have ingress rules of 0.0.0.0/0

circle
circle

AMA is an ongoing series published each Thursday, highlighting questions the community has asked in our support and how-to channels on Slack. If you haven't already done so, please join us on Slack 

" I am trying to build a query that shows any AWS security groups that have ingress rules of 0.0.0.0/0. 

As of right now I just export our entire list of security groups and filter in a spreadsheet for 0.0.0.0/0 in the ingress settings but I'd prefer to do this in the platform instead of a spreadsheet.  Can you point me in the right direction?"

--Question from James on the J1 Community Slack

 

Answer from Austin, Principal Software Engineer

Hi James. You have a few options.

This is the recommended pattern. Specify the relationship direction:

FIND aws_security_group 
THAT ALLOWS << Internet

 

An alternative is to filter by ingress = true on the relationship:

FIND aws_security_group
THAT ALLOWS AS allows Internet
WHERE allows.ingress = true

 

Another alternative is to filter directly on the ingressRules property on aws_security_group entities using the string contains operator (~):

FIND aws_security_group WITH ingressRules ~= "0.0.0.0/0"

 

Thanks for the question. -- Austin

Articles in this Series

  1. AMA: JupiterOne and PagerDuty WebHooks
  2. AMA: Export YAML Files for Vendors Pulled from SSO Providers
  3. AMA: Map Controls and Frameworks Relationships
  4. AMA: How to Track Professional Associations, Security Forums, and Threat Intel Sources
  5. AMA: Find AWS Instances by their Private IP Address
  6. AMA: SSO Integrated Authentication, Move to Another Role
  7. AMA: send-mail action to map two properties
  8. AMA: Setup the Policy Accept Button
  9. AMA: Match a blank field in J1QL
  10. AMA: Track and Alert Using Firewall Rules Matrix
  11. AMA: AWS Roles not used for 90 days, and date related queries
  12. AMA: Manage Alerts for Jira through J1 Terraform Provider
  13. AMA: Filter Results from Specific AWS Accounts
  14. AMA: Iterate and return total count of iam users per account
  15. AMA: Search for security groups by tag
  16. AMA: Identify S3 Buckets Open to Cross-Account Attacks
  17. AMA: Resources for J1 DevOps Use Cases
  18. AMA: Sub-Queries in J1QL
  19. AMA: What permissions are needed for AWS
  20. AMA: How to disable a policy

Resources for this AMA

avatar

Posted By Austin Kelleher

Austin Kelleher leads the Integrations team at JupiterOne. His background is in building highly-scalable cloud systems, and he has been recently focused on modeling data for graph-based security analysis. Austin holds a B.S. in Computer Science from Penn State University.

To hear more from our Rapid Response Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

PREVIOUS ARTICLE

cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.