AMA: Is there a query you can help me with to pull AWS firewall rules?

[Deleted User]
[Deleted User] admin
edited February 7 in Security Operations
Is there a query you can help me with to pull AWS firewall rules?

Answers

  • [Deleted User]
    [Deleted User] admin

    Generally, you can use: Find aws_security_group

    Here is a query to specifically return a handful of properties:

    Find aws_security_group as sg
    return
      sg.tag.AccountName, sg.id, sg.displayName,
      sg.egressRules, sg.ingressRules

    Here is a query to return all firewall rule properties for a single security group (if you input the id value):

    Find aws_security_group with id = '' as sg
      that allows as rule *
    return
      sg.tag.AccountName, sg.id, sg.displayName,
      rule.egress, rule.ingress,
      rule.fromPort, rule.toPort, rule.portRange,
      rule.protocol, rule.description

    There are also some more firewall related queries at askj1.com

    You can see an extended response from Akash Ganapathi and Sounil Yu on the J1 blog:

    https://try.jupiterone.com/blog/ama-query-to-pull-aws-firewall-rules


This Month's Leaders

Categories