AWS config query

0

AWS config query to list all instances where security group allow ingress port 22 from 0.0.0.0

asked 22 days ago140 views
2 Answers
1

You can use the AWS managed config rule called restricted-ssh to achieve this.

profile pictureAWS
EXPERT
answered 22 days ago
profile picture
EXPERT
reviewed 22 days ago
profile picture
EXPERT
reviewed 22 days ago
  • Hi Yaniv, this should show all the security groups that have the ssh over for 0.0.0.0, however, how to add the third attribute which is instance IP.

  • Virender, I just posted an article that describes how you can detect which instances that have such security group associated with them. I hope it helps.

  • Hi Yaniv, I went through the document and thanks for creating the script. I will try executing and see how it goes.

  • Thanks Virender, please report back if it works for you. If so, kindly accept the answer so others can benefit from this too.

0

AWS Config query to list all instances where the security group allows ingress port 22 from 0.0.0.0:

SELECT 
  ec2Instance.instanceId,
  ec2Instance.instanceType,
  ec2SecurityGroup.groupId,
  ec2SecurityGroup.groupName
WHERE
  ec2SecurityGroup.ipPermissions IN (
    {
      'ipProtocol': 'tcp',
      'fromPort': 22,
      'toPort': 22,
      'ipRanges': [
        {
          'cidrIp': '0.0.0.0/0'
        }
      ]
    }
  )

This query uses the AWS Config ec2Instance and ec2SecurityGroup resources to find instances with security groups that allow inbound traffic on port 22 from any IP address (0.0.0.0/0).

You can run this query in the AWS Management Console or using the AWS CLI command aws configservice select-resources --expression <query>.

profile picture
EXPERT
Sandeep
answered 21 days ago
  • Hi Sandeep, Executing the SQL in config is giving below error:

    Error syntax error at line 7, column 34

  • that you're experiencing a syntax error in your SQL configuration. To better assist you, could you please share the SQL statement that's causing the error, especially around line 7, column 34?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions