This CloudWatch Events rule Lambda function evaluates AWS API calls that change Amazon EC2 security group ingress rules. The function flags rules that violate a preconfigured policy.
Clone or download
jeffscottlevine Added Support for IPv6
I added "Ipv6Ranges" to the REQUIRED_PERMISSIONS data structure to accommodate the changes within IpPermission data types due to the addition of support for IPv6 within Amazon VPC.
Latest commit b85e722 Jan 14, 2017
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Oct 13, 2016
README.md Initial commit Oct 17, 2016
amzcwevents_lambda_security_group.py

README.md

cwe-monitor-secgrp

This CloudWatch Events rule Lambda function is used to look at invocations of the authorize_security_group_ingress() and revoke_security_group_ingress() API calls. When such as call is made, the function examines the contents of the applicable security group to determine if it matches a pre-configured policy. The policy is hardcoded into the Lambda function using an IpPermisions structure which is in the same format as the IpPermissions structure used by the describe_security_groups() API call. If the security group permissions do not match the pre-configured policy, the function sends log messages to CloudWatch logs saying what permissions need to be added or revoked in order to bring the group ingress rules into compliance.

In order to select the appropriate API call and security group for the CloudWatch events rule, you should use a JSON event selector. An example of such a selector appears below. Substitute "sg-abc12345" with the id of the specific security group you wish to inspect.

{
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com"
    ],
    "eventName": [
      "AuthorizeSecurityGroupIngress",
      "RevokeSecurityGroupIngress"
    ],
    "requestParameters": {
      "groupId": [
        "sg-abc12345"
      ]
    }
  }
}