AWS CLI expression: Bad jmespath expression: Unknown token

Question

I run the query below and it works.

aws ec2 describe-security-groups \
          --filters Name=ip-permission.from-port,Values=21 Name=ip-permission.to-Port,Values=21  \
          --query 'SecurityGroups[].[Tags[?Key==`Owner`] | [0].Value, GroupId]' \
          --output text

But trying to get security groups that have open traffic for all and the value of the Tag=Owner, I run this and get jmespath error.

aws ec2 describe-security-groups --filters Name=ip-permission.protocol,Values=-1 --query SecurityGroups[?IpPermissions[?IpProtocol == '-1' && contains(IpRanges[].CidrIp,'0.0.0.0/0')]].[Tags[?Key==`Owner`] | [0].Value, GroupId]' --output=text 

Bad value for --query SecurityGroups[?IpPermissions[?IpProtocol == -1 && contains(IpRanges[].CidrIp,0.0.0.0/0)]].[Tags[?Key==Owner] | [0].Value, GroupId]: Bad jmespath expression: Unknown token /:""

Answer 1

I had to wrap the chars that threw an error in a 'quote' symbol and successfully retrieved an output afterwards:

    aws rds describe-db-instances \
  --query "*[].[dbidentifier,'dbidentifier.cx32323sss6ib.eu-central-1.rds.amazonaws.com','5432',admin]"

Answer 2

Personally I prefer Steampipe, a CLI that can query AWS resources using SQL. It can be more verbose than JMES, but is much easier to read and more flexible to query.

Here is your first query as SQL using the aws_vpc_security_group_rule table:

select
  sg.tags ->> 'Owner' as owner,
  sg.group_id
from
  aws_vpc_security_group as sg
  join aws_vpc_security_group_rule as rule on sg.group_id = rule.group_id
where
  rule.type = 'ingress'
  and from_port = 22
  and to_port = 22;

And here is a query to find the open ports:

select
  sg.tags->>'Owner',
  sg.group_id
from
  aws_vpc_security_group as sg
  join aws_vpc_security_group_rule as rule on sg.group_id = rule.group_id
where
  rule.type = 'ingress'
  and rule.ip_protocol = '-1'
  and rule.cidr_ip = '0.0.0.0/0'