'Using Cloudwach filter patterns to find security group have cidrIp = "0.0.0.0/0"

I'd like to create a Cloudwatch filter patterns which is look for security group rules have CIDR ="0.0.0.0/0 whenever someone create them. Let say I have a log event:

"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "eu-central-1",
"userAgent": "EC2ConsoleFrontend, aws-internal/3 aws-sdk-java/1.12.150 Linux/5.4.172-100.336.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.322-b06 java/1.8.0_322 vendor/Oracle_Corporation cfg/retry-mode/standard",
"requestParameters": {
    "groupId": "sg-7f1ca612",
    "ipPermissions": {
        "items": [
            {
                "ipProtocol": "tcp",
                "fromPort": 389,
                "toPort": 389,
                "groups": {},
                "ipRanges": {
                    "items": [
                        {
                            "cidrIp": "0.0.0.0/0"
                        }
                    ]
                },
                "ipv6Ranges": {},
                "prefixListIds": {}
            },
            {
                "ipProtocol": "udp",
                "fromPort": 53,
                "toPort": 53,
                "groups": {},
                "ipRanges": {
                    "items": [
                        {
                            "cidrIp": "0.0.0.0/0"
                        }
                    ]
                },
                "ipv6Ranges": {},
                "prefixListIds": {}
            }
        ]
    }
},
"responseElements": {
    "requestId": "1dfe243d-24b3-47c2-acc1-12131f4feb40",
    "_return": true,
    "securityGroupRuleSet": {
        "items": [
            {
                "groupOwnerId": "030563857246",
                "groupId": "sg-7f1ca612",
                "securityGroupRuleId": "sgr-0811c8cc4768b7c30",
                "isEgress": false,
                "ipProtocol": "tcp",
                "fromPort": 389,
                "toPort": 389,
                "cidrIpv4": "0.0.0.0/0"
            },
            {
                "groupOwnerId": "030563857246",
                "groupId": "sg-7f1ca612",
                "securityGroupRuleId": "sgr-0a0527ecab37548b0",
                "isEgress": false,
                "ipProtocol": "udp",
                "fromPort": 53,
                "toPort": 53,
                "cidrIpv4": "0.0.0.0/0"
            }
        ]
    }
},

I tried the query below, but it not correct as responseElements.securityGroupRuleSet.items list may have more than one element.

{(($.eventName=AuthorizeSecurityGroupIngress) && ($.responseElements.securityGroupRuleSet.items[0].cidrIpv4 = "0.0.0.0/0"))}

I tried to change items[0] to items[*], but it is invalid syntax, any idea?

amazon-cloudwatchlogs amazon-cloudtrail

Solution 1:^[1]

Alternate way provided in the documentation is to use CloudTrail + EventBridge + SNS to achieve what you want. CloudTrail will log all the account changes. Event Bridge will filter those changes and SNS will trigger the notification.

Sample implementation for similar use-case is shown here: https://aws.amazon.com/premiumsupport/knowledge-center/monitor-security-group-changes-ec2/

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	Hussain Mansoor

'Using Cloudwach filter patterns to find security group have cidrIp = "0.0.0.0/0"

Solution 1:[1]

Sources

Related Questions

Solution 1:^[1]