security-group-analyzer

# Security Group Analyzer

Audit AWS security groups and identify security vulnerabilities.

## Quick Start

List security groups, check for 0.0.0.0/0 access, restrict to minimum needed ports and IPs.

## Instructions

### Security Group Audit Process

1. **List all security groups**
2. **Identify overly permissive rules**
3. **Check for unused security groups**
4. **Recommend restrictions**
5. **Implement changes**

### List Security Groups

```bash
# List all security groups
aws ec2 describe-security-groups \
  --query 'SecurityGroups[].[GroupId,GroupName,Description]' \
  --output table

# Get specific security group
aws ec2 describe-security-groups \
  --group-ids sg-1234567890abcdef0
```

### Common Security Issues

**1. Open to the world (0.0.0.0/0)**

Find security groups with unrestricted access:
```bash
aws ec2 describe-security-groups \
  --filters "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query 'SecurityGroups[].[GroupId,GroupName,IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]]'
```

**High-risk ports open to 0.0.0.0/0:**
- 22 (SSH)
- 3389 (RDP)
- 3306 (MySQL)
- 5432 (PostgreSQL)
- 27017 (MongoDB)
- 6379 (Redis)

**2. Unrestricted outbound rules**

Default security groups allow all outbound traffic. Restrict if possible:
```bash
# Check outbound rules
aws ec2 describe-security-groups \
  --group-ids sg-1234567890abcdef0 \
  --query 'SecurityGroups[].IpPermissionsEgress'
```

**3. Unused security groups**

Find security groups not attached to any resources:
```bash
# List all security groups
aws ec2 describe-security-groups --query 'SecurityGroups[].GroupId' > all-sgs.txt

# List security groups in use
aws ec2 describe-instances --query 'Reservations[].Instances[].SecurityGroups[].GroupId' > used-sgs.txt
aws rds describe-db-instances --query 'DBInstances[].VpcSecurityGroups[].VpcSecurityGroupId' >> used-sgs.txt

# Compare to find unused
```

### Security Best Practices

**Principle of least privilege:**
- Only allow necessary ports
- Restrict source