🚀Launch Week 07, January 27th - 31st, 2025🚀

Plugins Docs Home

turbot/tailpipe-mod-aws-cloudtrail-log-detections

activity_dashboard_logs_by_account activity_dashboard_logs_by_actor activity_dashboard_logs_by_event activity_dashboard_logs_by_region activity_dashboard_logs_by_service activity_dashboard_logs_by_source_ip activity_dashboard_total_logs cloudfront_distribution_default_certificate_disabled cloudfront_distribution_logging_disabled cloudtrail_trail_global_service_logging_disabled cloudtrail_trail_kms_key_updated cloudtrail_trail_logging_stopped cloudtrail_trail_s3_logging_bucket_updated cloudwatch_log_group_created_with_encryption_disabled codebuild_project_environment_variable_updated codebuild_project_service_role_updated codebuild_project_source_repository_updated codebuild_project_visibility_set_public config_configuration_recorder_stopped config_rule_deleted ebs_encryption_by_default_disabled ebs_snapshot_created_with_encryption_disabled ebs_snapshot_shared_publicly ebs_snapshot_unlocked ebs_volume_detached ec2_ami_shared_publicly ec2_instance_launched_with_public_ip ec2_key_pair_deleted ec2_reserved_instance_purchased efs_file_system_backup_policy_disabled eventbridge_rule_deleted eventbridge_rule_disabled guardduty_detector_deleted iam_access_key_created iam_access_key_deleted iam_group_administrator_policy_attached iam_group_inline_policy_updated iam_identity_created_without_cloudformation iam_role_administrator_policy_attached iam_role_inline_policy_updated iam_role_managed_policy_attached iam_root_user_console_login iam_root_user_email_address_updated iam_user_administrator_policy_attached iam_user_created iam_user_inline_policy_updated iam_user_login_profile_created iam_user_login_profile_updated iam_user_managed_policy_attached iam_user_mfa_device_deactivated iam_user_password_changed kms_key_deletion_scheduled lambda_function_created_with_function_code_encryption_at_rest_disabled lambda_function_granted_public_access rds_db_cluster_deletion_protection_disabled rds_db_instance_assigned_public_ip_address rds_db_instance_deletion_protection_disabled rds_db_instance_iam_authentication_disabled rds_db_instance_master_password_updated rds_db_instance_restored_from_public_snapshot root_user_activity_report_aws_accounts_input root_user_activity_report_table root_user_activity_report_total_logs route_53_domain_transfer_lock_disabled route_53_domain_transferred route_53_hosted_zone_associated_with_vpc s3_bucket_block_public_access_disabled s3_bucket_deleted s3_bucket_policy_granted_public_access s3_bucket_policy_updated s3_large_file_downloaded ses_identity_feedback_forwarding_disabled sns_topic_granted_public_access sqs_queue_created_with_encryption_at_rest_disabled sqs_queue_dlq_disabled sqs_queue_granted_public_access ssm_document_shared_publicly vpc_classic_link_enabled vpc_created vpc_deleted vpc_flow_log_deleted vpc_internet_gateway_added_to_public_route_table vpc_internet_gateway_detached vpc_network_acl_entry_updated vpc_network_acl_entry_updated_with_allow_public_access vpc_peering_connection_deleted vpc_route_table_association_replaced vpc_route_table_deleted vpc_route_table_route_deleted vpc_route_table_route_disassociated vpc_security_group_deleted vpc_security_group_ingress_egress_rule_authorized_to_allow_all vpc_security_group_ingress_egress_rule_updated waf_web_acl_disassociated_from_cloudfront_distribution waf_web_acl_disassociated_from_elb_application_load_balancer waf_web_acl_logging_disabled

Query: vpc_network_acl_entry_updated_with_allow_public_access

Usage

powerpipe query aws_cloudtrail_log_detections.query.vpc_network_acl_entry_updated_with_allow_public_access

Tailpipe Tables

aws_cloudtrail_log

Amazon Web Services plugin

SQL

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
request_parameters ->> 'networkAclId' as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*

from
  aws_cloudtrail_log
where
  event_source = 'ec2.amazonaws.com'
  and event_name in ('CreateNetworkAclEntry', 'ReplaceNetworkAclEntry')
  and (request_parameters ->> 'ruleAction') = 'allow'
  and ((request_parameters ->> 'cidrBlock') = '0.0.0.0/0' or (request_parameters ->> 'ipv6CidrBlock') = '::/0')
  and error_code is null

order by 
  event_time desc;

Detections

The query is being used by the following detections:

VPC Network ACL Entry Updated With Allow Public Access