Sign in
agent:

Audit of AWS Security Groups for Compliance with Inbound Traffic Restrictions

There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.

The workflow involves analyzing AWS security groups across different regions to identify those that are non-compliant with security policies. Specifically, it focuses on security groups that allow inbound TCP traffic from unrestricted sources, such as 0.0.0.0/0 or ::/0. The process includes listing these non-compliant security groups along with the open ports and CIDR ranges that pose a security risk. The final step is to organize the non-compliant security groups into a table, categorizing them by region and compliance status. This helps in visualizing the distribution of security risks across the AWS infrastructure.

  1. 1

    This script lists the number of AWS security groups by region and identifies non-compliant groups allowing unrestricted inbound TCP traffic.

    import boto3 import json def get_security_groups_by_region(regions): aws_access_key_id = getEnvVar('AWS_ACCESS_KEY_ID') aws_secret_access_key = getEnvVar('AWS_SECRET_ACCESS_KEY') security_group_summary = {} for region in regions: ec2_client = boto3.client('ec2', region_name=region, aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key) response = ec2_client.describe_security_groups() security_groups = response.get('SecurityGroups', []) total_groups = len(security_groups) non_compliant_groups = [] for sg in security_groups: group_id = sg.get('GroupId') group_name = sg.get('GroupName') for permission in sg.get('IpPermissions', []): if permission.get('IpProtocol') == 'tcp': for ip_range in permission.get('IpRanges', []): cidr_ip = ip_range.get('CidrIp') if cidr_ip == '0.0.0.0/0': non_compliant_groups.append({ 'GroupId': group_id, 'GroupName': group_name, 'Port': permission.get('FromPort'), 'CidrIp': cidr_ip }) for ipv6_range in permission.get('Ipv6Ranges', []): cidr_ipv6 = ipv6_range.get('CidrIpv6') if cidr_ipv6 == '::/0': non_compliant_groups.append({ 'GroupId': group_id, 'GroupName': group_name, 'Port': permission.get('FromPort'), 'CidrIpv6': cidr_ipv6 }) security_group_summary[region] = { 'TotalSecurityGroups': total_groups, 'NonCompliantGroups': non_compliant_groups } return security_group_summary security_group_summary = get_security_groups_by_region(regions) print(json.dumps(security_group_summary, indent=4, default=str))
    copied
    1
  2. 2

    Tabulate non-compliant security groups based on their regions and compliance

    There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.

    This script tabulates non-compliant security groups by region, listing their details.

    table = context.newtable() # Calculate the number of non-compliant groups num_non_compliant = sum(len(region_data['NonCompliantGroups']) for region_data in security_group_summary.values()) # Set table properties if num_non_compliant > 0: table.num_rows = num_non_compliant + 1 # +1 for header table.num_cols = 5 table.title = "Non-Compliant Security Groups by Region" table.has_header_row = True # Set header table.setval(0, 0, "Region") table.setval(0, 1, "GroupId") table.setval(0, 2, "GroupName") table.setval(0, 3, "Port") table.setval(0, 4, "CIDR") # Fill table with non-compliant security groups row = 1 for region, region_data in security_group_summary.items(): for group in region_data['NonCompliantGroups']: table.setval(row, 0, region) table.setval(row, 1, group['GroupId']) table.setval(row, 2, group['GroupName']) table.setval(row, 3, str(group['Port'])) table.setval(row, 4, group.get('CidrIp', group.get('CidrIpv6', ''))) row += 1 print("Non-compliant security groups table created successfully.")
    copied
    2