Morning folks!
We recently got the opportunity to leverage Forward Networks NQE for a Cyber Security ask. They want to verify that EC2 Instances are not being assigned the default Security Group. This should be a simple enough task. AWS creates the security group with the name ‘default’ so all we need to do is create an NQE Query that checks our Cloud Objects with a type of ‘instance’ and verify that the list (I’m assuming it is a list type) of security groups does not contain ‘default’. However, after reviewing the NQE Data Model I’m not convinced the ‘Cloud Objects’ are exposed in such a way we can correlate instance to security group. Can someone confirm or deny this?
I do see that the instance tags are exposed as part of the ComputeInstance data model, so a workaround would be for us to edit our Terraform code so that security groups assigned to the instance are also created as tags on the instance so we can expose that correlation for consumption in NQE.