AMA: J1 Query to pull AWS firewall rules

circle
circle

J1_Ambassador Hunter @2x

"Is there a query you can help me with to pull AWS firewall rules?"

--Question from Michael on the J1 Community Slack

 

Answer from Akash, Solutions Architecture

Hi Michael,

Generally, you can use: Find aws_security_group

Here is a query to specifically return a handful of properties:

Find aws_security_group as sg
return
 sg.tag.AccountName, sg.id, sg.displayName,
 sg.egressRules, sg.ingressRules

Here is a query to return all firewall rule properties for a single security group (if you input the id value):

Find aws_security_group with id = '' as sg
 that allows as rule *
return
 sg.tag.AccountName, sg.id, sg.displayName,
 rule.egress, rule.ingress,
 rule.fromPort, rule.toPort, rule.portRange,
 rule.protocol, rule.description

There are also some more firewall related queries at askj1.com

Additional response from Sounil, Security

Michael, I’m not sure what specifically you might be looking for, but I had similar questions last week around what egress filtering do we have on our assets. You might want to try variations of the following two queries to find those quickly, in case that’s what you were looking for:

  • FIND aws_security_group THAT ALLOWS >> Internet  (to find those that have no egress filtering)
  • FIND aws_security_group THAT !ALLOWS >> Internet  (to find those that do have egress filtering)

Doing consistent egress filtering would be difficult without having your assets within a VPC, so you can also do queries to find those assets that aren’t in a VPC. For example:FIND Function THAT !HAS aws_subnet

AMA is an ongoing series published each Thursday, highlighting questions the community has asked in our support and how-to channels on Slack. If you haven't already done so, please join us on Slack 

 

More AMAs

   
2022-12-09 AMA - SentinelOne not installed

 

  I’m trying to find which of my Mac hosts don’t have SentinelOne installed.
December 14, 2021
     
2021-12-02 AMA Date Comparions

 

  Are 'WHERE' and 'WITH' clauses always supposed to be of the syntactic form (PROPERTY) (OP) (EXPRESSION)? 
December 02, 2021
     
2021-11-11 AMA Query to find all critical findings

 

 
Is there an API or JupiterOne query that will pull all 'Critical' findings, all 'High' findings etc?
November 11, 2021

 

avatar

Posted By JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

PREVIOUS ARTICLE

cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.