This CloudWatch Events rule Lambda function evaluates AWS API calls that change Amazon EC2 security group ingress rules. The function flags rules that violate a preconfigured policy.
Python
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LICENSE
README.md
amzcwevents_lambda_security_group.py

README.md

cwe-monitor-secgrp

This CloudWatch Events rule Lambda function is used to look at invocations of the authorize_security_group_ingress() and revoke_security_group_ingress() API calls. When such as call is made, the function examines the contents of the applicable security group to determine if it matches a pre-configured policy. The policy is hardcoded into the Lambda function using an IpPermisions structure which is in the same format as the IpPermissions structure used by the describe_security_groups() API call. If the security group permissions do not match the pre-configured policy, the function sends log messages to CloudWatch logs saying what permissions need to be added or revoked in order to bring the group ingress rules into compliance.

In order to select the appropriate API call and security group for the CloudWatch events rule, you should use a JSON event selector. An example of such a selector appears below. Substitute "sg-abc12345" with the id of the specific security group you wish to inspect.

{
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "ec2.amazonaws.com"
    ],
    "eventName": [
      "AuthorizeSecurityGroupIngress",
      "RevokeSecurityGroupIngress"
    ],
    "requestParameters": {
      "groupId": [
        "sg-abc12345"
      ]
    }
  }
}