aws_accessanalyzer_analyzeraws_accessanalyzer_findingaws_accountaws_account_alternate_contactaws_account_contactaws_acm_certificateaws_acmpca_certificate_authorityaws_amplify_appaws_api_gateway_api_keyaws_api_gateway_authorizeraws_api_gateway_domain_nameaws_api_gateway_methodaws_api_gateway_rest_apiaws_api_gateway_stageaws_api_gateway_usage_planaws_api_gatewayv2_apiaws_api_gatewayv2_domain_nameaws_api_gatewayv2_integrationaws_api_gatewayv2_routeaws_api_gatewayv2_stageaws_app_runner_serviceaws_appautoscaling_policyaws_appautoscaling_targetaws_appconfig_applicationaws_appstream_fleetaws_appstream_imageaws_appsync_graphql_apiaws_athena_query_executionaws_athena_workgroupaws_auditmanager_assessmentaws_auditmanager_controlaws_auditmanager_evidenceaws_auditmanager_evidence_folderaws_auditmanager_frameworkaws_availability_zoneaws_backup_frameworkaws_backup_jobaws_backup_legal_holdaws_backup_planaws_backup_protected_resourceaws_backup_recovery_pointaws_backup_report_planaws_backup_selectionaws_backup_vaultaws_cloudcontrol_resourceaws_cloudformation_stackaws_cloudformation_stack_resourceaws_cloudformation_stack_setaws_cloudfront_cache_policyaws_cloudfront_distributionaws_cloudfront_functionaws_cloudfront_origin_access_identityaws_cloudfront_origin_request_policyaws_cloudfront_response_headers_policyaws_cloudsearch_domainaws_cloudtrail_channelaws_cloudtrail_event_data_storeaws_cloudtrail_importaws_cloudtrail_lookup_eventaws_cloudtrail_queryaws_cloudtrail_trailaws_cloudtrail_trail_eventaws_cloudwatch_alarmaws_cloudwatch_log_eventaws_cloudwatch_log_groupaws_cloudwatch_log_metric_filteraws_cloudwatch_log_resource_policyaws_cloudwatch_log_streamaws_cloudwatch_log_subscription_filteraws_cloudwatch_metricaws_cloudwatch_metric_data_pointaws_cloudwatch_metric_statistic_data_pointaws_codeartifact_domainaws_codeartifact_repositoryaws_codebuild_buildaws_codebuild_projectaws_codebuild_source_credentialaws_codecommit_repositoryaws_codedeploy_appaws_codedeploy_deployment_configaws_codedeploy_deployment_groupaws_codepipeline_pipelineaws_codestar_notification_ruleaws_cognito_identity_poolaws_cognito_identity_provideraws_cognito_user_poolaws_config_aggregate_authorizationaws_config_configuration_recorderaws_config_conformance_packaws_config_retention_configurationaws_config_ruleaws_cost_by_account_dailyaws_cost_by_account_monthlyaws_cost_by_record_type_dailyaws_cost_by_record_type_monthlyaws_cost_by_service_dailyaws_cost_by_service_monthlyaws_cost_by_service_usage_type_dailyaws_cost_by_service_usage_type_monthlyaws_cost_by_tagaws_cost_forecast_dailyaws_cost_forecast_monthlyaws_cost_usageaws_dax_clusteraws_dax_parameteraws_dax_parameter_groupaws_dax_subnet_groupaws_directory_service_certificateaws_directory_service_directoryaws_directory_service_log_subscriptionaws_directory_servicelog_subscriptionaws_dlm_lifecycle_policyaws_dms_certificateaws_dms_endpointaws_dms_replication_instanceaws_dms_replication_taskaws_docdb_clusteraws_docdb_cluster_instanceaws_docdb_cluster_snapshotaws_drs_jobaws_drs_recovery_instanceaws_drs_recovery_snapshotaws_drs_source_serveraws_dynamodb_backupaws_dynamodb_global_tableaws_dynamodb_metric_account_provisioned_read_capacity_utilaws_dynamodb_metric_account_provisioned_write_capacity_utilaws_dynamodb_tableaws_dynamodb_table_exportaws_ebs_snapshotaws_ebs_volumeaws_ebs_volume_metric_read_opsaws_ebs_volume_metric_read_ops_dailyaws_ebs_volume_metric_read_ops_hourlyaws_ebs_volume_metric_write_opsaws_ebs_volume_metric_write_ops_dailyaws_ebs_volume_metric_write_ops_hourlyaws_ec2_amiaws_ec2_ami_sharedaws_ec2_application_load_balanceraws_ec2_application_load_balancer_metric_request_countaws_ec2_application_load_balancer_metric_request_count_dailyaws_ec2_autoscaling_groupaws_ec2_capacity_reservationaws_ec2_classic_load_balanceraws_ec2_client_vpn_endpointaws_ec2_gateway_load_balanceraws_ec2_instanceaws_ec2_instance_availabilityaws_ec2_instance_metric_cpu_utilizationaws_ec2_instance_metric_cpu_utilization_dailyaws_ec2_instance_metric_cpu_utilization_hourlyaws_ec2_instance_typeaws_ec2_key_pairaws_ec2_launch_configurationaws_ec2_launch_templateaws_ec2_launch_template_versionaws_ec2_load_balancer_listeneraws_ec2_load_balancer_listener_ruleaws_ec2_managed_prefix_listaws_ec2_managed_prefix_list_entryaws_ec2_network_interfaceaws_ec2_network_load_balanceraws_ec2_network_load_balancer_metric_net_flow_countaws_ec2_network_load_balancer_metric_net_flow_count_dailyaws_ec2_regional_settingsaws_ec2_reserved_instanceaws_ec2_spot_priceaws_ec2_ssl_policyaws_ec2_target_groupaws_ec2_transit_gatewayaws_ec2_transit_gateway_routeaws_ec2_transit_gateway_route_tableaws_ec2_transit_gateway_vpc_attachmentaws_ecr_imageaws_ecr_image_scan_findingaws_ecr_registry_scanning_configurationaws_ecr_repositoryaws_ecrpublic_repositoryaws_ecs_clusteraws_ecs_cluster_metric_cpu_utilizationaws_ecs_cluster_metric_cpu_utilization_dailyaws_ecs_cluster_metric_cpu_utilization_hourlyaws_ecs_container_instanceaws_ecs_serviceaws_ecs_taskaws_ecs_task_definitionaws_efs_access_pointaws_efs_file_systemaws_efs_mount_targetaws_eks_addonaws_eks_addon_versionaws_eks_clusteraws_eks_fargate_profileaws_eks_identity_provider_configaws_eks_node_groupaws_elastic_beanstalk_applicationaws_elastic_beanstalk_application_versionaws_elastic_beanstalk_environmentaws_elasticache_clusteraws_elasticache_parameter_groupaws_elasticache_redis_metric_cache_hits_hourlyaws_elasticache_redis_metric_curr_connections_hourlyaws_elasticache_redis_metric_engine_cpu_utilization_dailyaws_elasticache_redis_metric_engine_cpu_utilization_hourlyaws_elasticache_redis_metric_get_type_cmds_hourlyaws_elasticache_redis_metric_list_based_cmds_hourlyaws_elasticache_redis_metric_new_connections_hourlyaws_elasticache_replication_groupaws_elasticache_reserved_cache_nodeaws_elasticache_subnet_groupaws_elasticsearch_domainaws_emr_block_public_access_configurationaws_emr_clusteraws_emr_cluster_metric_is_idleaws_emr_instanceaws_emr_instance_fleetaws_emr_instance_groupaws_emr_security_configurationaws_eventbridge_busaws_eventbridge_ruleaws_fms_app_listaws_fms_policyaws_fsx_file_systemaws_glacier_vaultaws_globalaccelerator_acceleratoraws_globalaccelerator_endpoint_groupaws_globalaccelerator_listeneraws_glue_catalog_databaseaws_glue_catalog_tableaws_glue_connectionaws_glue_crawleraws_glue_data_catalog_encryption_settingsaws_glue_data_quality_rulesetaws_glue_dev_endpointaws_glue_jobaws_glue_security_configurationaws_guardduty_detectoraws_guardduty_filteraws_guardduty_findingaws_guardduty_ipsetaws_guardduty_memberaws_guardduty_publishing_destinationaws_guardduty_threat_intel_setaws_health_affected_entityaws_health_eventaws_iam_access_advisoraws_iam_access_keyaws_iam_account_password_policyaws_iam_account_summaryaws_iam_actionaws_iam_credential_reportaws_iam_groupaws_iam_open_id_connect_provideraws_iam_policyaws_iam_policy_attachmentaws_iam_policy_simulatoraws_iam_roleaws_iam_saml_provideraws_iam_server_certificateaws_iam_service_specific_credentialaws_iam_useraws_iam_virtual_mfa_deviceaws_identitystore_groupaws_identitystore_group_membershipaws_identitystore_useraws_inspector2_coverageaws_inspector2_coverage_statisticsaws_inspector2_findingaws_inspector2_memberaws_inspector_assessment_runaws_inspector_assessment_targetaws_inspector_assessment_templateaws_inspector_exclusionaws_inspector_findingaws_iot_fleet_metricaws_iot_thingaws_iot_thing_groupaws_iot_thing_typeaws_kinesis_consumeraws_kinesis_firehose_delivery_streamaws_kinesis_streamaws_kinesis_video_streamaws_kinesisanalyticsv2_applicationaws_kms_aliasaws_kms_keyaws_kms_key_rotationaws_lambda_aliasaws_lambda_event_source_mappingaws_lambda_functionaws_lambda_function_metric_duration_dailyaws_lambda_function_metric_errors_dailyaws_lambda_function_metric_invocations_dailyaws_lambda_layeraws_lambda_layer_versionaws_lambda_versionaws_lightsail_bucketaws_lightsail_instanceaws_macie2_classification_jobaws_media_store_containeraws_memorydb_clusteraws_mgn_applicationaws_mq_brokeraws_msk_clusteraws_msk_serverless_clusteraws_neptune_db_clusteraws_neptune_db_cluster_snapshotaws_networkfirewall_firewallaws_networkfirewall_firewall_policyaws_networkfirewall_rule_groupaws_oam_linkaws_oam_sinkaws_opensearch_domainaws_organizations_accountaws_organizations_organizational_unitaws_organizations_policyaws_organizations_policy_targetaws_organizations_rootaws_pinpoint_appaws_pipes_pipeaws_pricing_productaws_pricing_service_attributeaws_ram_principal_associationaws_ram_resource_associationaws_rds_db_clusteraws_rds_db_cluster_parameter_groupaws_rds_db_cluster_snapshotaws_rds_db_engine_versionaws_rds_db_event_subscriptionaws_rds_db_instanceaws_rds_db_instance_automated_backupaws_rds_db_instance_metric_connectionsaws_rds_db_instance_metric_connections_dailyaws_rds_db_instance_metric_connections_hourlyaws_rds_db_instance_metric_cpu_utilizationaws_rds_db_instance_metric_cpu_utilization_dailyaws_rds_db_instance_metric_cpu_utilization_hourlyaws_rds_db_instance_metric_read_iopsaws_rds_db_instance_metric_read_iops_dailyaws_rds_db_instance_metric_read_iops_hourlyaws_rds_db_instance_metric_write_iopsaws_rds_db_instance_metric_write_iops_dailyaws_rds_db_instance_metric_write_iops_hourlyaws_rds_db_option_groupaws_rds_db_parameter_groupaws_rds_db_proxyaws_rds_db_recommendationaws_rds_db_snapshotaws_rds_db_subnet_groupaws_rds_reserved_db_instanceaws_redshift_clusteraws_redshift_cluster_metric_cpu_utilization_dailyaws_redshift_event_subscriptionaws_redshift_parameter_groupaws_redshift_snapshotaws_redshift_subnet_groupaws_redshiftserverless_namespaceaws_redshiftserverless_workgroupaws_regionaws_resource_explorer_indexaws_resource_explorer_searchaws_resource_explorer_supported_resource_typeaws_route53_domainaws_route53_health_checkaws_route53_query_logaws_route53_recordaws_route53_resolver_endpointaws_route53_resolver_query_log_configaws_route53_resolver_ruleaws_route53_traffic_policyaws_route53_traffic_policy_instanceaws_route53_vpc_association_authorizationaws_route53_zoneaws_s3_access_pointaws_s3_account_settingsaws_s3_bucketaws_s3_bucket_intelligent_tiering_configurationaws_s3_multi_region_access_pointaws_s3_objectaws_s3_object_versionaws_sagemaker_appaws_sagemaker_domainaws_sagemaker_endpoint_configurationaws_sagemaker_modelaws_sagemaker_notebook_instanceaws_sagemaker_training_jobaws_secretsmanager_secretaws_securityhub_action_targetaws_securityhub_enabled_product_subscriptionaws_securityhub_findingaws_securityhub_finding_aggregatoraws_securityhub_hubaws_securityhub_insightaws_securityhub_memberaws_securityhub_productaws_securityhub_standards_controlaws_securityhub_standards_subscriptionaws_securitylake_data_lakeaws_securitylake_subscriberaws_serverlessapplicationrepository_applicationaws_service_discovery_instanceaws_service_discovery_namespaceaws_service_discovery_serviceaws_servicecatalog_portfolioaws_servicecatalog_productaws_servicecatalog_provisioned_productaws_servicequotas_default_service_quotaaws_servicequotas_serviceaws_servicequotas_service_quotaaws_servicequotas_service_quota_change_requestaws_ses_domain_identityaws_ses_email_identityaws_sfn_state_machineaws_sfn_state_machine_executionaws_sfn_state_machine_execution_historyaws_simspaceweaver_simulationaws_sns_subscriptionaws_sns_topicaws_sns_topic_subscriptionaws_sqs_queueaws_ssm_associationaws_ssm_documentaws_ssm_document_permissionaws_ssm_inventoryaws_ssm_inventory_entryaws_ssm_maintenance_windowaws_ssm_managed_instanceaws_ssm_managed_instance_complianceaws_ssm_managed_instance_patch_stateaws_ssm_parameteraws_ssm_patch_baselineaws_ssmincidents_response_planaws_ssoadmin_account_assignmentaws_ssoadmin_instanceaws_ssoadmin_managed_policy_attachmentaws_ssoadmin_permission_setaws_sts_caller_identityaws_tagging_resourceaws_timestreamwrite_databaseaws_timestreamwrite_tableaws_transfer_serveraws_transfer_useraws_trusted_advisor_check_summaryaws_vpcaws_vpc_customer_gatewayaws_vpc_dhcp_optionsaws_vpc_egress_only_internet_gatewayaws_vpc_eipaws_vpc_eip_address_transferaws_vpc_endpointaws_vpc_endpoint_serviceaws_vpc_flow_logaws_vpc_flow_log_eventaws_vpc_internet_gatewayaws_vpc_nat_gatewayaws_vpc_nat_gateway_metric_bytes_out_to_destinationaws_vpc_network_aclaws_vpc_peering_connectionaws_vpc_routeaws_vpc_route_tableaws_vpc_security_groupaws_vpc_security_group_ruleaws_vpc_subnetaws_vpc_verified_access_endpointaws_vpc_verified_access_groupaws_vpc_verified_access_instanceaws_vpc_verified_access_trust_provideraws_vpc_vpn_connectionaws_vpc_vpn_gatewayaws_waf_rate_based_ruleaws_waf_ruleaws_waf_rule_groupaws_waf_web_aclaws_wafregional_ruleaws_wafregional_rule_groupaws_wafregional_web_aclaws_wafv2_ip_setaws_wafv2_regex_pattern_setaws_wafv2_rule_groupaws_wafv2_web_aclaws_wellarchitected_answeraws_wellarchitected_check_detailaws_wellarchitected_check_summaryaws_wellarchitected_consolidated_reportaws_wellarchitected_lensaws_wellarchitected_lens_reviewaws_wellarchitected_lens_review_improvementaws_wellarchitected_lens_review_reportaws_wellarchitected_lens_shareaws_wellarchitected_milestoneaws_wellarchitected_notificationaws_wellarchitected_share_invitationaws_wellarchitected_workloadaws_wellarchitected_workload_shareaws_workspaces_directoryaws_workspaces_workspace
Table: aws_vpc_security_group - Query AWS VPC Security Groups using SQL
An AWS VPC Security Group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level, therefore each instance in a subnet in your VPC can be assigned to a different set of security groups.
Table Usage Guide
The aws_vpc_security_group table in Steampipe provides you with information about Security Groups within AWS Virtual Private Cloud (VPC). This table enables you, as a DevOps engineer, to query security group-specific details, including configurations, associated policies, and related metadata. You can utilize this table to gather insights on security groups, such as understanding the security rules applied, verifying the security policies, and more. The schema outlines for you the various attributes of the security group, including the group ID, name, description, owner ID, and associated VPC ID.
Examples
Basic ingress rule info
Review the configuration of your network's security settings to understand which ports are open and the protocols being used. This can help in identifying potential security vulnerabilities and ensuring that the network is adequately protected.
select group_name, vpc_id, perm ->> 'FromPort' as from_port, perm ->> 'ToPort' as to_port, perm ->> 'IpProtocol' as ip_protocol, perm ->> 'IpRanges' as ip_ranges, perm ->> 'Ipv6Ranges' as ipv6_ranges, perm ->> 'UserIdGroupPairs' as user_id_group_pairs, perm ->> 'PrefixListIds' as prefix_list_idsfrom aws_vpc_security_group as sg cross join jsonb_array_elements(ip_permissions) as perm;select group_name, vpc_id, json_extract(perm.value, '$.FromPort') as from_port, json_extract(perm.value, '$.ToPort') as to_port, json_extract(perm.value, '$.IpProtocol') as ip_protocol, json_extract(perm.value, '$.IpRanges') as ip_ranges, json_extract(perm.value, '$.Ipv6Ranges') as ipv6_ranges, json_extract(perm.value, '$.UserIdGroupPairs') as user_id_group_pairs, json_extract(perm.value, '$.PrefixListIds') as prefix_list_idsfrom aws_vpc_security_group as sg, json_each(ip_permissions) as perm;List of security groups whose SSH and RDP access is not restricted from the internet
Explore which security groups have unrestricted SSH and RDP access from the internet, allowing you to identify potential security risks and tighten access controls. This is crucial for maintaining security standards and preventing unauthorized access.
select sg.group_name, sg.group_id, sgr.type, sgr.ip_protocol, sgr.from_port, sgr.to_port, cidr_ipfrom aws_vpc_security_group as sg join aws_vpc_security_group_rule as sgr on sg.group_name = sgr.group_namewhere sgr.type = 'ingress' and sgr.cidr_ip = '0.0.0.0/0' and ( ( sgr.ip_protocol = '-1' -- all traffic and sgr.from_port is null ) or ( sgr.from_port <= 22 and sgr.to_port >= 22 ) or ( sgr.from_port <= 3389 and sgr.to_port >= 3389 ) );select sg.group_name, sg.group_id, sgr.type, sgr.ip_protocol, sgr.from_port, sgr.to_port, cidr_ipfrom aws_vpc_security_group as sg join aws_vpc_security_group_rule as sgr on sg.group_name = sgr.group_namewhere sgr.type = 'ingress' and sgr.cidr_ip = '0.0.0.0/0' and ( ( sgr.ip_protocol = '-1' -- all traffic and sgr.from_port is null ) or ( sgr.from_port <= 22 and sgr.to_port >= 22 ) or ( sgr.from_port <= 3389 and sgr.to_port >= 3389 ) );Count of security groups by VPC ID
Gain insights into the distribution of security groups across your Virtual Private Clouds (VPCs) to manage resources and improve security measures effectively.
select vpc_id, count(vpc_id) as countfrom aws_vpc_security_groupgroup by vpc_id;select vpc_id, count(vpc_id) as countfrom aws_vpc_security_groupgroup by vpc_id;List of security groups whose name is prefixed with 'launch wizard'
Identify instances where security groups have names prefixed with 'launch wizard'. This can help in managing and organizing your security groups effectively, particularly in large-scale AWS environments.
select group_name, group_idfrom aws_vpc_security_groupwhere group_name like '%launch-wizard%';select group_name, group_idfrom aws_vpc_security_groupwhere group_name like '%launch-wizard%';Query examples
- vpc_security_group_by_acount
- vpc_security_group_by_region
- vpc_security_group_by_vpc
- vpc_security_group_count
- vpc_security_group_details_for_vpc
- vpc_security_group_egress_rule_sankey
- vpc_security_group_ingress_rule_sankey
- vpc_security_group_input
- vpc_security_group_overview
- vpc_security_group_tags
- vpc_security_group_unassociated_count
- vpc_security_groups_for_codebuild_project
- vpc_security_groups_for_ec2_application_load_balancer
- vpc_security_groups_for_ec2_classic_load_balancer
- vpc_security_groups_for_ec2_gateway_load_balancer
- vpc_security_groups_for_ec2_network_load_balancer
- vpc_security_groups_for_ecs_service
- vpc_security_groups_for_elasticache_cluster_node
- vpc_security_groups_for_vpc
- vpc_security_unrestricted_egress_count
- vpc_security_unrestricted_ingress_count
- vpc_vpcs_for_vpc_security_group
Control examples
- All Controls > VPC > Ensure no security groups allow ingress from ::/0 to remote server administration ports
- All Controls > VPC > Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
- All Controls > VPC > Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- All Controls > VPC > Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- All Controls > VPC > Security groups should not allow unrestricted access to ports with high risk
- All Controls > VPC > Unused EC2 security groups should be removed
- All Controls > VPC > VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888
- All Controls > VPC > VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to memcached port 11211
- All Controls > VPC > VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to mongoDB ports 27017 and 27018
- All Controls > VPC > VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to oracle ports 1521 or 2483
- All Controls > VPC > VPC security groups should restrict ingress Kafka port access from 0.0.0.0/0
- All Controls > VPC > VPC security groups should restrict ingress kibana port access from 0.0.0.0/0
- All Controls > VPC > VPC security groups should restrict ingress redis access from 0.0.0.0/0
- All Controls > VPC > VPC security groups should restrict uses of 'launch-wizard' security groups.
- AWS Foundational Security Best Practices > EC2 > 18 Security groups should only allow unrestricted incoming traffic for authorized ports
- AWS Foundational Security Best Practices > EC2 > 19 Security groups should not allow unrestricted access to ports with high risk
- AWS Foundational Security Best Practices > EC2 > 2 VPC default security groups should not allow inbound or outbound traffic
- CIS AWS Compute Services Benchmark v1.0.0 > 2 Elastic Cloud Compute (EC2) > 2.7 Ensure Default EC2 Security groups are not being used
- CIS v1.2.0 > 4 Networking > 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
- CIS v1.2.0 > 4 Networking > 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
- CIS v1.2.0 > 4 Networking > 4.3 Ensure the default security group of every VPC restricts all traffic
- CIS v1.3.0 > 5 Networking > 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- CIS v1.3.0 > 5 Networking > 5.3 Ensure the default security group of every VPC restricts all traffic
- CIS v1.4.0 > 5 Networking > 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- CIS v1.4.0 > 5 Networking > 5.3 Ensure the default security group of every VPC restricts all traffic
- CIS v1.5.0 > 5 Networking > 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- CIS v1.5.0 > 5 Networking > 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports
- CIS v1.5.0 > 5 Networking > 5.4 Ensure the default security group of every VPC restricts all traffic
- CIS v2.0.0 > 5 Networking > 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- CIS v2.0.0 > 5 Networking > 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports
- CIS v2.0.0 > 5 Networking > 5.4 Ensure the default security group of every VPC restricts all traffic
- CIS v3.0.0 > 5 Networking > 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- CIS v3.0.0 > 5 Networking > 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports
- CIS v3.0.0 > 5 Networking > 5.4 Ensure the default security group of every VPC restricts all traffic
- VPC default security group should not allow inbound and outbound traffic
- VPC security groups should be associated with at least one ENI
- VPC Security groups should only allow unrestricted incoming traffic for authorized ports
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
Schema for aws_vpc_security_group
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| arn | text | The Amazon Resource Name (ARN) specifying the security group. | |
| description | text | = | A description of the security group. |
| group_id | text | = | Contains the unique ID to identify a security group. |
| group_name | text | = | The friendly name that identifies the security group. |
| ip_permissions | jsonb | A list of inbound rules associated with the security group | |
| ip_permissions_egress | jsonb | A list of outbound rules associated with the security group | |
| owner_id | text | = | Contains the AWS account ID of the owner of the security group. |
| partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
| region | text | The AWS Region in which the resource is located. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| tags_src | jsonb | A list of tags that are attached to the security group | |
| title | text | Title of the resource. | |
| vpc_id | text | = | The ID of the VPC for the security group. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- awsYou can pass the configuration to the command with the --config argument:
steampipe_export_aws --config '<your_config>' aws_vpc_security_group