AMA: Is there a query you can help me with to pull AWS firewall rules?

[Deleted User]
edited February 7 in Security Operations
Is there a query you can help me with to pull AWS firewall rules?

Answers

  • Generally, you can use: Find aws_security_group

    Here is a query to specifically return a handful of properties:

    Find aws_security_group as sg
    return
     sg.tag.AccountName, sg.id, sg.displayName,
     sg.egressRules, sg.ingressRules

    Here is a query to return all firewall rule properties for a single security group (if you input the id value):

    Find aws_security_group with id = '' as sg
     that allows as rule *
    return
     sg.tag.AccountName, sg.id, sg.displayName,
     rule.egress, rule.ingress,
     rule.fromPort, rule.toPort, rule.portRange,
     rule.protocol, rule.description

    There are also some more firewall related queries at askj1.com

    You can see an extended response from Akash Ganapathi and Sounil Yu on the J1 blog:

    https://try.jupiterone.com/blog/ama-query-to-pull-aws-firewall-rules