Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-insights
Overview
138Dashboards
0Benchmarks
1403Queries
0Variables
GitHub

Dashboard: AWS VPC Detail

This dashboard answers the following questions for each VPC:

  • How is the VPC configured?
  • What tags are applied?
  • What are the CIDR blocks assigned to?
  • What is the DHCP option configured?
  • What are the subnets attached to?
  • How the route tables are configured?
  • What are the peering connections associated?
  • How are NACLs configured?
  • How gateways and endpoints are configured?
  • How security groups are configured?
  • What relationships does the VPC have with other resources?
This dashboard contains 4 cards, 2 flows, 1 graph, 1 input and 11 tables.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-aws-insights

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select AWS VPC Detail dashboard.

You could also snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe dashboard run aws_insights.dashboard.vpc_detail --share

Queries

This dashboard uses the the following queries:


with aces as (
  select
    arn,
    title,
    network_acl_id,
    is_default,
    e -> 'Protocol' as protocol_number,
    e ->> 'CidrBlock' as ipv4_cidr_block,
    e ->> 'Ipv6CidrBlock' as ipv6_cidr_block,
    coalesce(e ->> 'CidrBlock', e ->> 'Ipv6CidrBlock') as cidr_block,
    e -> 'PortRange' -> 'To' as to_port,
    e -> 'PortRange' -> 'From' as from_port,
    e ->> 'RuleAction' as rule_action,
    e -> 'RuleNumber' as rule_number,
    to_char((e->>'RuleNumber')::numeric, 'fm00000')  as rule_num_padded,


    -- e -> 'IcmpTypeCode' as icmp_type_code,
    e -> 'IcmpTypeCode' -> 'Code' as icmp_code,
    e -> 'IcmpTypeCode' -> 'Type' as icmp_type,


    e -> 'Protocol' as protocol_number,
    e -> 'Egress' as is_egress,


    case when e ->> 'RuleAction' = 'allow' then 'Allow ' else 'Deny ' end ||
      case
          when e->>'Protocol' = '-1' then 'All Traffic'
          when e->>'Protocol' = '1'  and e->'IcmpTypeCode' is null then 'All ICMP'
          when e->>'Protocol' = '58'  and e->'IcmpTypeCode' is null then 'All ICMPv6'
          when e->>'Protocol' = '6'  and e->'PortRange' is null then 'All TCP'
          when e->>'Protocol' = '17' and e->'PortRange' is null then 'All UDP'
          when e->>'Protocol' = '6' and e->'PortRange'->>'From' = '0' and e->'PortRange'->>'To' = '65535'
            then 'All TCP'
          when e->>'Protocol' = '17' and e->'PortRange'->>'From' = '0' and e->'PortRange'->>'To' = '65535'
            then  'All UDP'
          when e->>'Protocol' = '1'  and e->'IcmpTypeCode' is not null
            then concat('ICMP Type ', e->'IcmpTypeCode'->>'Type', ', Code ',  e->'IcmpTypeCode'->>'Code')
          when e->>'Protocol' = '58'  and e->'IcmpTypeCode' is not null
            then concat('ICMPv6 Type ', e->'IcmpTypeCode'->>'Type', ', Code ',  e->'IcmpTypeCode'->>'Code')
          when e->>'Protocol' = '6' and e->'PortRange'->>'To'  = e->'PortRange'->>'From'
            then  concat(e->'PortRange'->>'To', '/TCP')
          when e->>'Protocol' = '17' and e->'PortRange'->>'To'  = e->'PortRange'->>'From'
            then  concat(e->'PortRange'->>'To', '/UDP')
          when e->>'Protocol' = '6' and e->'PortRange'->>'From' <> e->'PortRange' ->> 'To'
            then  concat(e->'PortRange'->>'To', '-', e->'PortRange'->>'From', '/TCP')
          when e->>'Protocol' = '17' and e->'PortRange'->>'From' <> e->'PortRange'->>'To'
            then  concat(e->'PortRange'->>'To', '-', e->'PortRange'->>'From', '/UDP')
          else concat('Procotol: ', e->>'Protocol')
    end as rule_description,


    a ->> 'SubnetId' as subnet_id,
    a ->> 'NetworkAclAssociationId' as nacl_association_id
  from
    aws_vpc_network_acl,
    jsonb_array_elements(entries) as e,
    jsonb_array_elements(associations) as a
  where
    vpc_id = $1
    and (e -> 'Egress')::boolean
)


-- Subnet Nodes
select
  distinct subnet_id as id,
  subnet_id as title,
  'subnet' as category,
  null as from_id,
  null as to_id,
  0 as depth
from aces


-- ACL Nodes
union select
  distinct network_acl_id as id,
  network_acl_id as title,
  'nacl' as category,
  null as from_id,
  null as to_id,
  1 as depth


from aces


-- Rule Nodes
union select
  concat(network_acl_id, '_', rule_num_padded) as id,
  concat(rule_number, ': ', rule_description) as title,
  'rule' as category,
  null as from_id,
  null as to_id,
  2 as depth
from aces


-- CIDR Nodes
union select
  distinct cidr_block as id,
  cidr_block as title,
  'cidr_block' as category,
  null as from_id,
  null as to_id,
  3 as depth
from aces


-- subnet -> edge
union select
  null as id,
  null as title,
  'attached' as category,
  subnet_id as from_id,
  network_acl_id as to_id,
  null as depth
from aces


-- NACL -> Rule edge
union select
  null as id,
  null as title,
  rule_action as category,
  network_acl_id as from_id,
  concat(network_acl_id, '_', rule_num_padded) as to_id,
  null as depth
from aces


-- rule -> ip edge
union select
  null as id,
  null as title,
  rule_action as category,
  concat(network_acl_id, '_', rule_num_padded) as from_id,
  cidr_block as to_id,
  null as depth
from aces

Tags

service = AWS/VPC
type = Detail