AWS Cloud Trail AWS Network ACL Open To All Ports
Query
// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html
// https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html
// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
AWSCloudTrail
| where EventName in ("CreateNetworkAclEntry", "ReplaceNetworkAclEntry")
and isempty(ErrorCode)
and isempty(ErrorMessage)
| extend DynamicRequestParameters = todynamic(RequestParameters)
| extend
NetworkAclId = tostring(DynamicRequestParameters["networkAclId"]),
RuleNumber = toint(DynamicRequestParameters["ruleNumber"]),
Egress = tobool(DynamicRequestParameters["egress"]),
RuleAction = tostring(DynamicRequestParameters["ruleAction"]),
PortFrom = toint(DynamicRequestParameters["portRange"]["from"]),
PortTo = toint(DynamicRequestParameters["portRange"]["to"]),
AclProtocol = toint(DynamicRequestParameters["aclProtocol"]),
CiderBlock = tostring(coalesce(DynamicRequestParameters["cidrBlock"], DynamicRequestParameters["ipv6CidrBlock"]))
| where not(Egress) and RuleAction == "allow" and (AclProtocol == -1 or (PortTo - PortFrom) > 100)
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
NetworkAclId,
RuleNumber,
Egress,
RuleAction,
PortFrom,
PortTo,
AclProtocol,
CiderBlock,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs, specifically focusing on events related to the creation or replacement of network ACL (Access Control List) entries in AWS EC2. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by querying the
AWSCloudTraildata source. -
Event Filtering: The query filters for events where the
EventNameis either "CreateNetworkAclEntry" or "ReplaceNetworkAclEntry". It ensures that these events do not have any associated errors by checking thatErrorCodeandErrorMessageare empty. -
Extracting Parameters: It extracts various parameters from the
RequestParametersfield, converting them into appropriate data types:NetworkAclId: The ID of the network ACL.RuleNumber: The rule number within the ACL.Egress: A boolean indicating if the rule is for outbound traffic.RuleAction: The action of the rule, such as "allow" or "deny".PortFromandPortTo: The range of ports the rule applies to.AclProtocol: The protocol number used by the rule.CiderBlock: The CIDR block (IPv4 or IPv6) the rule applies to.
-
Specific Conditions: It further filters the data to include only those entries where:
- The rule is for inbound traffic (
Egressis false). - The rule action is "allow".
- The protocol is unspecified (
AclProtocolis -1) or the port range is greater than 100.
- The rule is for inbound traffic (
-
Role Information: It invokes a function
AWSIdentityRole()to gather additional identity-related information. -
Projection: Finally, it selects a wide range of fields to include in the output, such as:
- Event details (e.g.,
TimeGenerated,EventName,EventSource). - User identity details (e.g.,
UserIdentityType,Identity,UserIdentityAccountId). - Network ACL details (e.g.,
NetworkAclId,RuleNumber,RuleAction). - Other metadata (e.g.,
SourceIpAddress,AWSRegion,UserAgent).
- Event details (e.g.,
In summary, this query is used to identify and analyze specific network ACL entry operations in AWS that allow inbound traffic, focusing on rules with either unspecified protocols or large port ranges, and provides detailed information about these events and the identities involved.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators