How to get all security groups that are inbound to All traffic to 0.0.0.0

Question

I'm trying to get all the security groups that are open to "All traffic" from any IP address (0.0.0.0/0) For us, it means they haven't been correctly configured.

I found how to find those that contain a rule that allows SSH traffic (port 22) and a rule that allows traffic from all IP addresses (0.0.0.0/0) I’ve tried it but I still don't have what I'm looking for : I want those who allows all protocols, all ports(all traffic) from 0.0.0.0.

Thanks for any suggestions.

aws ec2 describe-security-groups --filters Name=ip
permission.cidr,Values='0.0.0.0/0' Name=vpc-id,Values=XXXXX Name=ip-
permission.from-port,Values=* --query "SecurityGroups[*]. 
{Name:GroupName,ID:GroupId}" --output table

Answer 1

You're on the right track. If you use a -1 as the value for ip-permission.protocol it will return Security Groups open to all traffic.

I created this Security Group (delete immediately) as a test:

When I run the aws command with the above filter and the filter for CIDR = 0.0.0.0/0 as such:

aws ec2 --region eu-west-1 describe-security-groups --filter Name=ip-permission.protocol,Values=-1 Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" --output table

It returned this output:

------------------------------------------------  
|            DescribeSecurityGroups            |
+-----------------------+----------------------+
|          ID           |        Name          |
+-----------------------+----------------------+
|  sg-0142cbca58aac3836 |  delete immediately  |
+-----------------------+----------------------+

UPDATE

To list generate a list of security groups that allow all outbound use the following:

aws ec2 describe-security-groups --filter Name=egress.ip-permission.protocol,Values=-1 Name=egress.ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" --output table