Question

NQE Check EC2 Instance for 'default' Security Group

  • 31 January 2024
  • 3 replies
  • 108 views

Userlevel 2
Badge

Morning folks!

 

We recently got the opportunity to leverage Forward Networks NQE for a Cyber Security ask. They want to verify that EC2 Instances are not being assigned the default Security Group. This should be a simple enough task. AWS creates the security group with the name ‘default’ so all we need to do is create an NQE Query that checks our Cloud Objects with a type of ‘instance’ and verify that the list (I’m assuming it is a list type) of security groups does not contain ‘default’. However, after reviewing the NQE Data Model I’m not convinced the ‘Cloud Objects’ are exposed in such a way we can correlate instance to security group. Can someone confirm or deny this?

I do see that the instance tags are exposed as part of the ComputeInstance data model, so a workaround would be for us to edit our Terraform code so that security groups assigned to the instance are also created as tags on the instance so we can expose that correlation for consumption in NQE.


3 replies

Userlevel 2

Yes, you can definitely do this with the current NQE model. It parses the instance and security group names and tags.

 

Take a look at the following query:

foreach cloudAccount in network.cloudAccounts
foreach vpc in cloudAccount.vpcs
foreach computeInstance in vpc.computeInstances
foreach securityGroup in vpc.securityGroups
select {
violation: securityGroup.groupName == "default",
VPC: vpc.id,
"Compute Instance ID": computeInstance.id,
"Compute Instance Name": computeInstance.name,
"Security Group ID": securityGroup.id,
"Security Group Name": securityGroup.name,
"Security Group Desc": securityGroup.description,
"Security Group Tags": securityGroup.tags
}

 

This will pull all of the security groups, show which ones are associated with a particular instance, and then throw a violation on which ones are a default security group.  You can further restrict to particular cloud accounts as needed, or add additional information (instance tags, image type, etc) from the data model.

Userlevel 2
Badge

Yes, you can definitely do this with the current NQE model. It parses the instance and security group names and tags.

 

Take a look at the following query:

foreach cloudAccount in network.cloudAccounts
foreach vpc in cloudAccount.vpcs
foreach computeInstance in vpc.computeInstances
foreach securityGroup in vpc.securityGroups
select {
violation: securityGroup.groupName == "default",
VPC: vpc.id,
"Compute Instance ID": computeInstance.id,
"Compute Instance Name": computeInstance.name,
"Security Group ID": securityGroup.id,
"Security Group Name": securityGroup.name,
"Security Group Desc": securityGroup.description,
"Security Group Tags": securityGroup.tags
}

 

This will pull all of the security groups, show which ones are associated with a particular instance, and then throw a violation on which ones are a default security group.  You can further restrict to particular cloud accounts as needed, or add additional information (instance tags, image type, etc) from the data model.

Hey @captainpacket thanks for the reply! I tried this search but it does not seem to correlate the instance with the security group that is actually applied to it. What I get back is just an enumerated 1:1 table of all our instances and all of our security-groups. For example If we have 100 security-groups and 1 instance in AWS, I just see 1 instance 100 times with each security group even if that instance only really has 1 SG applied - with the top limit being 5.

 

If I visit the webpage for Instance A then I can see the security groups applied so i figured this might be exposed under vpc.computeInstances.id.securityGroups or something similar.

Userlevel 2

Ahh, yes - this query will just return all the security groups, with a true/false column for violation for the intersection of those that are set to default and also applied to instances.  This makes it handy for pass/fail continuous verification checks and audits.

 

To just return the instances that the default groups are applied, let’s move the 

violation: securityGroup.groupName == "default"

line farther up as a where condition instead:

 

foreach cloudAccount in network.cloudAccounts
foreach vpc in cloudAccount.vpcs
foreach computeInstance in vpc.computeInstances
foreach securityGroup in vpc.securityGroups
where securityGroup.groupName == "default"
select {
VPC: vpc.id,
"Compute Instance ID": computeInstance.id,
"Compute Instance Name": computeInstance.name,
"Security Group ID": securityGroup.id,
"Security Group Name": securityGroup.name,
"Security Group Desc": securityGroup.description,
"Security Group Tags": securityGroup.tags
}

 

You can still keep the violation field if you want it to be a pass/fail intent check as well.

 

Let me know if that helps - thanks!

Reply