Detection: VPC Security Group Ingress/Egress Rule Updated
Overview
Detect when a Virtual Private Cloud (VPC) security group ingress or egress rule was updated. Changes to security group rules can impact network security, potentially exposing resources to unauthorized access or disrupting legitimate communication. Monitoring these updates helps ensure the security and availability of your resources.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.vpc_security_group_ingress_egress_rule_updatedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.vpc_security_group_ingress_egress_rule_updated --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'groupId' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'ec2.amazonaws.com' and event_name in ('AuthorizeSecurityGroupEgress', 'AuthorizeSecurityGroupIngress', 'RevokeSecurityGroupEgress', 'RevokeSecurityGroupIngress') and error_code is null
order by event_time desc;