turbot/alicloud

steampipe plugin install alicloudsteampipe plugin install alicloud

Table: alicloud_ecs_security_group

A security group is a logically isolated, mutually accessible group of instances within the same region that all share the same security requirements.

Examples

List of security groups where all instances within the security group are isolated from each other

select
name,
security_group_id,
type,
inner_access_policy
from
alicloud_ecs_security_group
where
inner_access_policy = 'drop';

Get the security group rules of each security group

select
name,
security_group_id,
p ->> 'IpProtocol' as ip_protocol_type,
p ->> 'PortRange' as port_range,
p ->> 'Direction' as direction,
p ->> 'SourceCidrIp' as source_cidr_ip,
p ->> 'SourcePortRange' as source_port_range
from
alicloud_ecs_security_group,
jsonb_array_elements(permissions) as p;

List of all enterprise security groups

select
name,
security_group_id,
region_id,
type
from
alicloud_ecs_security_group
where
type = 'enterprise';

Count of security groups by VPC ID

select
vpc_id,
count(*) as count
from
alicloud_ecs_security_group
group by
vpc_id;

Get the security group rules that allow inbound public access to all tcp or udp ports

select
name,
security_group_id,
p ->> 'IpProtocol' as ip_protocol_type,
p ->> 'PortRange' as port_range,
p ->> 'Direction' as direction,
p ->> 'SourceCidrIp' as source_cidr_ip,
p ->> 'SourcePortRange' as source_port_range
from
alicloud_ecs_security_group,
jsonb_array_elements(permissions) as p
where
p ->> 'IpProtocol' in ('TCP', 'UDP', 'ALL')
and p ->> 'Direction' = 'ingress'
and p ->> 'SourceCidrIp' = '0.0.0.0/0'
and (
p ->> 'PortRange' = '-1/-1'
or p ->> 'PortRange' = '1/65535'
);

Get the security group rules that allow inbound public access to all tcp or udp ports, along with instances attached to them

select
i.name,
i.instance_id,
sg.name,
sg.security_group_id,
p ->> 'IpProtocol' as ip_protocol_type,
p ->> 'PortRange' as port_range,
p ->> 'Direction' as direction,
p ->> 'SourceCidrIp' as source_cidr_ip,
p ->> 'SourcePortRange' as source_port_range
from
alicloud_ecs_security_group as sg,
jsonb_array_elements(permissions) as p,
alicloud_ecs_instance as i,
jsonb_array_elements_text(i.security_group_ids) as instance_sg
where
p ->> 'IpProtocol' in ('TCP', 'UDP', 'ALL')
and p ->> 'Direction' = 'ingress'
and p ->> 'SourceCidrIp' = '0.0.0.0/0'
and (
p ->> 'PortRange' = '-1/-1'
or p ->> 'PortRange' = '1/65535'
)
and instance_sg = sg.security_group_id;

Query examples

.inspect alicloud_ecs_security_group

ECS Security Group

NameTypeDescription
account_idtextThe alicloud Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThe Alibaba Cloud Resource Name (ARN) of the ECS security group.
creation_timetimestamp without time zoneThe time when the security group was created.
descriptiontextThe description of the security group.
inner_access_policytextThe description of the security group.
nametextThe name of the security group.
permissionsjsonbDetails about the security group rules.
regiontextThe name of the region where the resource belongs.
resource_group_idtextThe ID of the resource group to which the security group belongs.
security_group_idtextThe ID of the security group.
service_idbigintThe ID of the distributor to which the security group belongs.
service_managedbooleanIndicates whether the user is an Alibaba Cloud service or a distributor.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags attached with the security group.
titletextTitle of the resource.
typetextThe type of the security group. Possible values are: normal, and enterprise.
vpc_idtexthe ID of the VPC to which the security group belongs.