Yes, you can definitely do this with the current NQE model. It parses the instance and security group names and tags.
Take a look at the following query:
foreach cloudAccount in network.cloudAccounts
foreach vpc in cloudAccount.vpcs
foreach computeInstance in vpc.computeInstances
foreach securityGroup in vpc.securityGroups
select {
violation: securityGroup.groupName == "default",
VPC: vpc.id,
"Compute Instance ID": computeInstance.id,
"Compute Instance Name": computeInstance.name,
"Security Group ID": securityGroup.id,
"Security Group Name": securityGroup.name,
"Security Group Desc": securityGroup.description,
"Security Group Tags": securityGroup.tags
}
This will pull all of the security groups, show which ones are associated with a particular instance, and then throw a violation on which ones are a default security group. You can further restrict to particular cloud accounts as needed, or add additional information (instance tags, image type, etc) from the data model.
Yes, you can definitely do this with the current NQE model. It parses the instance and security group names and tags.
Take a look at the following query:
foreach cloudAccount in network.cloudAccounts
foreach vpc in cloudAccount.vpcs
foreach computeInstance in vpc.computeInstances
foreach securityGroup in vpc.securityGroups
select {
violation: securityGroup.groupName == "default",
VPC: vpc.id,
"Compute Instance ID": computeInstance.id,
"Compute Instance Name": computeInstance.name,
"Security Group ID": securityGroup.id,
"Security Group Name": securityGroup.name,
"Security Group Desc": securityGroup.description,
"Security Group Tags": securityGroup.tags
}
This will pull all of the security groups, show which ones are associated with a particular instance, and then throw a violation on which ones are a default security group. You can further restrict to particular cloud accounts as needed, or add additional information (instance tags, image type, etc) from the data model.
Hey @captainpacket thanks for the reply! I tried this search but it does not seem to correlate the instance with the security group that is actually applied to it. What I get back is just an enumerated 1:1 table of all our instances and all of our security-groups. For example If we have 100 security-groups and 1 instance in AWS, I just see 1 instance 100 times with each security group even if that instance only really has 1 SG applied - with the top limit being 5.
If I visit the webpage for Instance A then I can see the security groups applied so i figured this might be exposed under vpc.computeInstances.id.securityGroups or something similar.
Ahh, yes - this query will just return all the security groups, with a true/false column for violation for the intersection of those that are set to default and also applied to instances. This makes it handy for pass/fail continuous verification checks and audits.
To just return the instances that the default groups are applied, let’s move the
violation: securityGroup.groupName == "default"
line farther up as a where condition instead:
foreach cloudAccount in network.cloudAccounts
foreach vpc in cloudAccount.vpcs
foreach computeInstance in vpc.computeInstances
foreach securityGroup in vpc.securityGroups
where securityGroup.groupName == "default"
select {
VPC: vpc.id,
"Compute Instance ID": computeInstance.id,
"Compute Instance Name": computeInstance.name,
"Security Group ID": securityGroup.id,
"Security Group Name": securityGroup.name,
"Security Group Desc": securityGroup.description,
"Security Group Tags": securityGroup.tags
}
You can still keep the violation field if you want it to be a pass/fail intent check as well.
Let me know if that helps - thanks!
