steampipe plugin install aws

Table: aws_vpc_security_group_rule - Query AWS VPC Security Group Rule using SQL

The AWS VPC Security Group Rule is a feature within Amazon's Virtual Private Cloud (VPC) service that allows you to manage inbound and outbound traffic for your instances and subnets. These rules are used to control the traffic flow in a security group, offering flexibility to permit or deny specified traffic. This ensures a secure environment by providing a robust set of firewall rules at the instance and subnet level.

Table Usage Guide

The aws_vpc_security_group_rule table in Steampipe provides you with information about security group rules within Amazon Virtual Private Cloud (VPC). This table allows you, as a DevOps engineer, security analyst, or system administrator, to query rule-specific details, including rule type, IP protocol, port range, and associated metadata. You can utilize this table to gather insights on security group rules, such as rules with open IP ranges, verification of port ranges, and more. The schema outlines the various attributes of the security group rule for you, including the rule ID, security group ID, IP range, and associated tags.

Examples

List inbound security group rules open to the Internet

select
security_group_rule_id,
group_id,
ip_protocol,
from_port,
to_port
from
aws_vpc_security_group_rule
where
cidr_ipv4 = '0.0.0.0/0'
and not is_egress;
select
security_group_rule_id,
group_id,
ip_protocol,
from_port,
to_port
from
aws_vpc_security_group_rule
where
cidr_ipv4 = '0.0.0.0/0'
and not is_egress;

List ingress security group rules that open SSH and RDP access from the Internet

select
security_group_rule_id,
group_id,
ip_protocol,
from_port,
to_port,
cidr_ipv4
from
aws_vpc_security_group_rule
where
not is_egress
and cidr_ipv4 = '0.0.0.0/0'
and (
(
ip_protocol = '-1' -- all traffic
and from_port is null
)
or (
from_port <= 22
and to_port >= 22
)
or (
from_port <= 3389
and to_port >= 3389
)
);
select
security_group_rule_id,
group_id,
ip_protocol,
from_port,
to_port,
cidr_ipv4
from
aws_vpc_security_group_rule
where
not is_egress
and cidr_ipv4 = '0.0.0.0/0'
and (
(
ip_protocol = '-1' -- all traffic
and from_port is null
)
or (
from_port <= 22
and to_port >= 22
)
or (
from_port <= 3389
and to_port >= 3389
)
);

List security group rules with additional security group details

Discover the segments that have security group rules, along with additional details of the security group. This is particularly useful in understanding the security configurations in your environment, helping you to enhance protection measures.

select
r.security_group_rule_id,
r.ip_protocol,
r.from_port,
r.to_port,
r.cidr_ipv4,
r.group_id,
sg.group_name,
sg.vpc_id
from
aws_vpc_security_group_rule as r,
aws_vpc_security_group as sg
where
r.group_id = sg.group_id;
select
r.security_group_rule_id,
r.ip_protocol,
r.from_port,
r.to_port,
r.cidr_ipv4,
r.group_id,
sg.group_name,
sg.vpc_id
from
aws_vpc_security_group_rule as r
join aws_vpc_security_group as sg on r.group_id = sg.group_id;

Control examples

Schema for aws_vpc_security_group_rule

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cidr_ipcidr[DEPRECATED] This column has been deprecated and will be removed in a future release, use cidr_ipv4 instead. The IPv4 CIDR range.
cidr_ipv4cidrThe IPv4 CIDR range.
cidr_ipv6cidrThe IPv6 CIDR range.
descriptiontextThe security group rule description.
from_portbigintThe start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types.
group_idtext=The ID of the security group to which rule belongs.
group_nametext[DEPRECATED] This column has been deprecated and will be removed in a future release. The name of the security group to which rule belongs.
group_owner_idtextThe ID of the Amazon Web Services account that owns the security group.
ip_protocoltextThe IP protocol name (tcp, udp, icmp, icmpv6) or number [see Protocol Numbers ](http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range specified. For tcp, udp, and icmp, a port range is specified. For icmpv6, the port range is optional. If port range is omitted, traffic for all types and codes is allowed.
is_egressbooleanIndicates whether the security group rule is an outbound rule.
owner_idtext[DEPRECATED] This column has been deprecated and will be removed in a future release, use group_owner_id instead. The AWS account ID of the owner of the security group to which rule belongs.
pair_group_idtext[DEPRECATED] This column has been deprecated and will be removed in a future release, use referenced_group_id instead. The ID of the referenced security group.
pair_group_nametext[DEPRECATED] This column has been deprecated and will be removed in a future release. The name of the referenced security group.
pair_peering_statustext[DEPRECATED] This column has been deprecated and will be removed in a future release, use referenced_peering_status instead. Please use the referenced_peering_status column instead. The status of a VPC peering connection, if applicable.
pair_user_idtext[DEPRECATED] This column has been deprecated and will be removed in a future release, use referenced_user_id instead. The ID of an AWS account. For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.
pair_vpc_idtext[DEPRECATED] This column has been deprecated and will be removed in a future release, use referenced_vpc_id instead. The ID of the VPC for the referenced security group, if applicable.
pair_vpc_peering_connection_idtext[DEPRECATED] This column has been deprecated and will be removed in a future release, use referenced_vpc_peering_connection_id instead. The ID of the VPC peering connection, if applicable.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
prefix_list_idtextThe ID of the prefix list.
referenced_group_idtextThe ID of the referenced security group.
referenced_peering_statustextThe status of a VPC peering connection, if applicable.
referenced_user_idtextThe ID of an AWS account. For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.
referenced_vpc_idtextThe ID of the VPC for the referenced security group, if applicable.
referenced_vpc_peering_connection_idtextThe ID of the VPC peering connection, if applicable.
regiontextThe AWS Region in which the resource is located.
security_group_rule_idtext=The ID of the security group rule.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
to_portbigintThe end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes.
typetextType of the rule ( ingress | egress).
vpc_idtext[DEPRECATED] This column has been deprecated and will be removed in a future release. The ID of the VPC for the security group.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_vpc_security_group_rule