Table: aws_vpc_security_group_rule - Query AWS VPC Security Group Rule using SQL
The AWS VPC Security Group Rule is a feature within Amazon's Virtual Private Cloud (VPC) service that allows you to manage inbound and outbound traffic for your instances and subnets. These rules are used to control the traffic flow in a security group, offering flexibility to permit or deny specified traffic. This ensures a secure environment by providing a robust set of firewall rules at the instance and subnet level.
Table Usage Guide
The aws_vpc_security_group_rule
table in Steampipe provides you with information about security group rules within Amazon Virtual Private Cloud (VPC). This table allows you, as a DevOps engineer, security analyst, or system administrator, to query rule-specific details, including rule type, IP protocol, port range, and associated metadata. You can utilize this table to gather insights on security group rules, such as rules with open IP ranges, verification of port ranges, and more. The schema outlines the various attributes of the security group rule for you, including the rule ID, security group ID, IP range, and associated tags.
Examples
List inbound security group rules open to the Internet
select security_group_rule_id, group_id, ip_protocol, from_port, to_portfrom aws_vpc_security_group_rulewhere cidr_ipv4 = '0.0.0.0/0' and not is_egress;
select security_group_rule_id, group_id, ip_protocol, from_port, to_portfrom aws_vpc_security_group_rulewhere cidr_ipv4 = '0.0.0.0/0' and not is_egress;
List ingress security group rules that open SSH and RDP access from the Internet
select security_group_rule_id, group_id, ip_protocol, from_port, to_port, cidr_ipv4from aws_vpc_security_group_rulewhere not is_egress and cidr_ipv4 = '0.0.0.0/0' and ( ( ip_protocol = '-1' -- all traffic and from_port is null ) or ( from_port <= 22 and to_port >= 22 ) or ( from_port <= 3389 and to_port >= 3389 ) );
select security_group_rule_id, group_id, ip_protocol, from_port, to_port, cidr_ipv4from aws_vpc_security_group_rulewhere not is_egress and cidr_ipv4 = '0.0.0.0/0' and ( ( ip_protocol = '-1' -- all traffic and from_port is null ) or ( from_port <= 22 and to_port >= 22 ) or ( from_port <= 3389 and to_port >= 3389 ) );
List security group rules with additional security group details
Discover the segments that have security group rules, along with additional details of the security group. This is particularly useful in understanding the security configurations in your environment, helping you to enhance protection measures.
select r.security_group_rule_id, r.ip_protocol, r.from_port, r.to_port, r.cidr_ipv4, r.group_id, sg.group_namefrom aws_vpc_security_group_rule as r, aws_vpc_security_group as sgwhere r.group_id = sg.group_id;
select r.security_group_rule_id, r.ip_protocol, r.from_port, r.to_port, r.cidr_ipv4, r.group_id, sg.group_namefrom aws_vpc_security_group_rule as r join aws_vpc_security_group as sg on r.group_id = sg.group_id;
Schema for aws_vpc_security_group_rule
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cidr_ipv4 | cidr | The IPv4 CIDR range. | |
cidr_ipv6 | cidr | The IPv6 CIDR range. | |
description | text | The security group rule description. | |
from_port | bigint | The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. | |
group_id | text | = | The ID of the security group to which rule belongs. |
group_owner_id | text | The ID of the Amazon Web Services account that owns the security group. | |
ip_protocol | text | The IP protocol name (tcp, udp, icmp, icmpv6) or number [see Protocol Numbers ](http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range specified. For tcp, udp, and icmp, a port range is specified. For icmpv6, the port range is optional. If port range is omitted, traffic for all types and codes is allowed. | |
is_egress | boolean | Indicates whether the security group rule is an outbound rule. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
prefix_list_id | text | The ID of the prefix list. | |
referenced_group_id | text | The ID of the referenced security group. | |
referenced_peering_status | text | The status of a VPC peering connection, if applicable. | |
referenced_user_id | text | The ID of an AWS account. For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned. | |
referenced_vpc_id | text | The ID of the VPC for the referenced security group, if applicable. | |
referenced_vpc_peering_connection_id | text | The ID of the VPC peering connection, if applicable. | |
region | text | The AWS Region in which the resource is located. | |
security_group_rule_id | text | = | The ID of the security group rule. |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | Title of the resource. | |
to_port | bigint | The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes. | |
type | text | Type of the rule ( ingress | egress). |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_vpc_security_group_rule