Query Details

AWS Cloud Trail AWS Network ACL Open To All Ports

Query

// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html
// https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html
// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
AWSCloudTrail
| where EventName in ("CreateNetworkAclEntry", "ReplaceNetworkAclEntry")
    and isempty(ErrorCode)
    and isempty(ErrorMessage)
| extend DynamicRequestParameters = todynamic(RequestParameters)
| extend
    NetworkAclId = tostring(DynamicRequestParameters["networkAclId"]),
    RuleNumber = toint(DynamicRequestParameters["ruleNumber"]),
    Egress = tobool(DynamicRequestParameters["egress"]),
    RuleAction = tostring(DynamicRequestParameters["ruleAction"]),
    PortFrom = toint(DynamicRequestParameters["portRange"]["from"]),
    PortTo = toint(DynamicRequestParameters["portRange"]["to"]),
    AclProtocol = toint(DynamicRequestParameters["aclProtocol"]),
    CiderBlock = tostring(coalesce(DynamicRequestParameters["cidrBlock"], DynamicRequestParameters["ipv6CidrBlock"]))
| where not(Egress) and RuleAction == "allow" and (AclProtocol == -1 or (PortTo - PortFrom) > 100)
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    NetworkAclId,
    RuleNumber,
    Egress,
    RuleAction,
    PortFrom,
    PortTo,
    AclProtocol,
    CiderBlock,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs, specifically focusing on events related to the creation or replacement of network ACL (Access Control List) entries in AWS EC2. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by querying the AWSCloudTrail data source.

  2. Event Filtering: The query filters for events where the EventName is either "CreateNetworkAclEntry" or "ReplaceNetworkAclEntry". It ensures that these events do not have any associated errors by checking that ErrorCode and ErrorMessage are empty.

  3. Extracting Parameters: It extracts various parameters from the RequestParameters field, converting them into appropriate data types:

    • NetworkAclId: The ID of the network ACL.
    • RuleNumber: The rule number within the ACL.
    • Egress: A boolean indicating if the rule is for outbound traffic.
    • RuleAction: The action of the rule, such as "allow" or "deny".
    • PortFrom and PortTo: The range of ports the rule applies to.
    • AclProtocol: The protocol number used by the rule.
    • CiderBlock: The CIDR block (IPv4 or IPv6) the rule applies to.
  4. Specific Conditions: It further filters the data to include only those entries where:

    • The rule is for inbound traffic (Egress is false).
    • The rule action is "allow".
    • The protocol is unspecified (AclProtocol is -1) or the port range is greater than 100.
  5. Role Information: It invokes a function AWSIdentityRole() to gather additional identity-related information.

  6. Projection: Finally, it selects a wide range of fields to include in the output, such as:

    • Event details (e.g., TimeGenerated, EventName, EventSource).
    • User identity details (e.g., UserIdentityType, Identity, UserIdentityAccountId).
    • Network ACL details (e.g., NetworkAclId, RuleNumber, RuleAction).
    • Other metadata (e.g., SourceIpAddress, AWSRegion, UserAgent).

In summary, this query is used to identify and analyze specific network ACL entry operations in AWS that allow inbound traffic, focusing on rules with either unspecified protocols or large port ranges, and provides detailed information about these events and the identities involved.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailNetworkAclEntryEventUserIdentityRoleAccountRegionSessionSourceIpAddressEventSourceEventTypeNameManagementEventResourcesUserAgent

Operators

|inandisemptyextendtodynamictostringtointtoboolcoalescenot==->invokeproject

Actions

GitHub