🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-cloudtrail-log-detections
Overview
4Dashboards
86Benchmarks
96Queries
1Variables
GitHub

Detection: VPC Internet Gateway Added to Public Route Table

Overview

Detect when a Virtual Private Cloud (VPC) internet gateway was added to a public route table. Improper configurations can expose resources to the internet, increasing the risk of unauthorized access, data breaches, or malicious activity. Monitoring these changes ensures secure and intentional network designs.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.vpc_internet_gateway_added_to_public_route_table

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.vpc_internet_gateway_added_to_public_route_table --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
request_parameters ->> 'routeTableId' as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*


from
  aws_cloudtrail_log
where
  event_source = 'ec2.amazonaws.com'
  and event_name = 'CreateRoute'
  and (request_parameters ->> 'destinationCidrBlock') = '0.0.0.0/0'
  and (request_parameters ->> 'gatewayId') like 'igw-%'
  and error_code is null


order by event_time desc;

Tags

category = Detections
mitre_attack_ids = TA0040:T1578
plugin = aws
service = AWS/VPC