steampipe plugin install aws

Table: aws_networkfirewall_rule_group - Query AWS Network Firewall Rule Group using SQL

The AWS Network Firewall Rule Group is a component of AWS Network Firewall, a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). The rule group acts as a container for the stateless and stateful rule sets that make up the firewall policy for a network resource. It enables you to mix and match sets of rules to meet the specific security requirements of each individual resource.

Table Usage Guide

The aws_networkfirewall_rule_group table in Steampipe provides you with information about rule groups within AWS Network Firewall. This table allows you, as a DevOps engineer, to query rule group-specific details, including the rule group ARN, capacity, rule group name, and associated tags. You can utilize this table to gather insights on rule groups, such as the rule group's capacity, the rule group's name, and more. The schema outlines for you the various attributes of the Network Firewall rule group, including the rule group ARN, capacity, rule group name, and associated tags.

Examples

Basic info

Explore the status and type of rule groups in your AWS Network Firewall to understand their configurations and ensure your network security measures are functioning as expected. This can be particularly useful in identifying areas of vulnerability or inefficiency within your firewall setup.

select
rule_group_name,
rule_group_status,
type,
jsonb_pretty(rules_source) as rules_source
from
aws_networkfirewall_rule_group;
select
rule_group_name,
rule_group_status,
type,
rules_source
from
aws_networkfirewall_rule_group;

List rule groups with no associations

Determine the areas in which rule groups within the AWS Network Firewall service are not associated with any entities. This can be useful in identifying unused rule groups that may be unnecessarily incurring costs or cluttering the system.

select
rule_group_name,
rule_group_status
from
aws_networkfirewall_rule_group
where
number_of_associations = 0;
select
rule_group_name,
rule_group_status
from
aws_networkfirewall_rule_group
where
number_of_associations = 0;

Get rules for stateful rule groups

This query is used to explore the rules for stateful rule groups in AWS Network Firewall. It's a useful tool for security administrators who want to analyze the status and options of these groups, providing insights into their configuration and potential vulnerabilities.

select
rule_group_name,
rule_group_status,
jsonb_pretty(rules_source -> 'StatefulRules') as stateful_rules,
jsonb_pretty(rule_variables) as rule_variables,
stateful_rule_options
from
aws_networkfirewall_rule_group
where
type = 'STATEFUL';
select
rule_group_name,
rule_group_status,
json_extract(rules_source, '$.StatefulRules') as stateful_rules,
rule_variables,
stateful_rule_options
from
aws_networkfirewall_rule_group
where
type = 'STATEFUL';

Get rules and custom actions for stateless rule groups

Determine the areas in which rules and custom actions apply for stateless rule groups. This information can be useful for understanding the configuration and status of your network firewall.

select
rule_group_name,
rule_group_status,
jsonb_pretty(
rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules'
) as stateless_rules,
jsonb_pretty(
rules_source -> 'StatelessRulesAndCustomActions' -> 'CustomActions'
) as custom_actions
from
aws_networkfirewall_rule_group
where
type = 'STATELESS';
select
rule_group_name,
rule_group_status,
json_extract(
rules_source,
'$.StatelessRulesAndCustomActions.StatelessRules'
) as stateless_rules,
json_extract(
rules_source,
'$.StatelessRulesAndCustomActions.CustomActions'
) as custom_actions
from
aws_networkfirewall_rule_group
where
type = 'STATELESS';

List rule groups with no rules

Determine the areas in your network firewall where rule groups are defined but contain no rules. This can help you identify potential vulnerabilities or inefficiencies in your network security setup.

select
rule_group_name,
rule_group_status,
number_of_associations
from
aws_networkfirewall_rule_group
where
type = 'STATELESS'
and jsonb_array_length(
rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules'
) = 0
or type = 'STATEFUL'
and jsonb_array_length(rules_source -> 'StatefulRules') = 0;
select
rule_group_name,
rule_group_status,
number_of_associations
from
aws_networkfirewall_rule_group
where
(
type = 'STATELESS'
and json_array_length(
json_extract(
rules_source,
'$.StatelessRulesAndCustomActions.StatelessRules'
)
) = 0
)
or (
type = 'STATEFUL'
and json_array_length(json_extract(rules_source, '$.StatefulRules')) = 0
);

Schema for aws_networkfirewall_rule_group

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
account_idtextThe AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntext=The Amazon Resource Name (ARN) of the rule group.
capacitybigintThe maximum operating resources that this rule group can use. Rule group capacity is fixed at creation. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.
consumed_capacitybigintThe number of capacity units currently consumed by the rule group rules.
descriptiontextA description of the rule group.
number_of_associationsbigintThe number of firewall policies that use this rule group.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
rule_group_idtextThe unique identifier for the rule group.
rule_group_nametext=The descriptive name of the rule group.
rule_group_statustextDetailed information about the current status of a rule group.
rule_variablesjsonbSettings that are available for use in the rules in the rule group. You can only use these for stateful rule groups.
rules_sourcejsonbThe stateful rules or stateless rules for the rule group.
stateful_rule_optionsjsonbAdditional options governing how Network Firewall handles the rule group. You can only use these for stateful rule groups.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags assigned to the resource.
titletextTitle of the resource.
typetextIndicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_networkfirewall_rule_group