Scan and Find Security Groups That Are Too Open Common Ports
This function uses AWS SDK's EC2 client to identify security groups that have overly permissive access to common ports.
Code
Below is the JavaScript code example.
const AWS = require('aws-sdk'); const ec2 = new AWS.EC2({}); const commonPorts = [21, 22, 23, 25, 110, 143, 443, 445, 3389]; const tooOpenSecurityGroups = async () => { const securityGroups = await ec2.describeSecurityGroups().promise(); const overlyPermissive = securityGroups.SecurityGroups.filter(group => group.IpPermissions.some(ipPermission => commonPorts.some(port => ipPermission.FromPort === port && ipPermission.IpRanges.some(ipRange => ipRange.CidrIp === '0.0.0.0/0') ) ) ); console.log(overlyPermissive); } tooOpenSecurityGroups();
Detailed Code Explanation
Here's a detailed step-by-step analysis of what the above code does:
- It imports the AWS SDK and constructs an empty EC2 client object.
- It sets an array with common port numbers that are sometimes left open but shouldn't be for security reasons.
- It declares an asynchronous function called
tooOpenSecurityGroups.- This function first calls the
describeSecurityGroupsmethod of the EC2 object to fetch the details of all security groups and then waits for the promise to resolve. - It then filters the returned security groups to isolate those having overly permissive access.
- An overly permissive group is one in which there exists at least one IP permission that has a common port open to the entire Internet (
0.0.0.0/0).
- An overly permissive group is one in which there exists at least one IP permission that has a common port open to the entire Internet (
- This function first calls the
- It finally logs the details of the overly permissive groups to the console.
Expected Output (JSON Format)
The output is an array of security groups that are considered overly permissive. Each security group is represented by an object similar to the following:
[ { "OwnerId": "", "GroupId": "", "GroupName": "", "Description": "", "IpPermissions": [], "Tags": [], "VpcId": "" } ]
Considerations & caveats
While this function can help identify common security misconfigurations, it has some limitations:
-
Limited port numbers: - The script only checks for overly permissive access in a hard-coded list of common ports. Any other ports left open will not be identified.
-
CIDR notations: - It only checks for the
0.0.0.0/0CIDR, which represents all IP addresses. However, overly permissive access can also be granted with other CIDR notations.
Required IAM Permissions and Example Policy
The following are the minimum IAM permissions required to execute the script:
ec2:DescribeSecurityGroups
Here is an example policy that grants these permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:DescribeSecurityGroups", "Resource": "*" } ] }
FAQ
1. Can I use this script to check for overly permissive access on other ports?
Yes, you can modify the commonPorts array to include any port numbers you're interested in.
2. Why is the script checking for the 0.0.0.0/0 CIDR notation?
This CIDR notation represents all IP addresses, so a rule with this source is open to the entire Internet.
3. How can I run this script?
You need to have Node.js installed on your system and an AWS IAM role with the necessary permissions.
4. Does this script modify or restrict access to the identified security groups?
No, the script is read-only and only reports overly permissive security groups. It does not take any actions on them.