🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-cloudtrail-log-detections
Overview
4Dashboards
86Benchmarks
96Queries
1Variables
GitHub

Detection: VPC Network ACL Entry Updated With Allow Public Access

Overview

Detect when a Virtual Private Cloud (VPC) network ACL (NACL) rule was updated to allow public access. NACLs are a critical component of VPC security, controlling inbound and outbound traffic at the subnet level. Granting public access to a NACL exposes resources to unauthorized traffic and increases the risk of security breaches.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.vpc_network_acl_entry_updated_with_allow_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.vpc_network_acl_entry_updated_with_allow_public_access --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
request_parameters ->> 'networkAclId' as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*


from
  aws_cloudtrail_log
where
  event_source = 'ec2.amazonaws.com'
  and event_name in ('CreateNetworkAclEntry', 'ReplaceNetworkAclEntry')
  and (request_parameters ->> 'ruleAction') = 'allow'
  and ((request_parameters ->> 'cidrBlock') = '0.0.0.0/0' or (request_parameters ->> 'ipv6CidrBlock') = '::/0')
  and error_code is null


order by 
  event_time desc;

Tags

category = Detections
mitre_attack_ids = TA0005:T1562.004
plugin = aws
service = AWS/VPC