We’ve added six graph-based out-of-the-box queries for investigating AWS runtime resources from the Resource Inventory page for better visibility. Many of these are based on our Network Access graph that identifies multiple ways for internet exposure, such as public subnets, internet gateways, and load balancers.
- Public Virtual Machines: shows EC2 instances that are publicly exposed based on Network Access graph analysis. While not necessarily bad, this query helps you ensure that no private EC2 instance is publicly exposed.
- Public Firewall Groups: shows Security Groups that are open to the world based on Network Access graph analysis. This query helps identify Security Groups with network exposure to identify those that shouldn’t be.
- Public Databases: shows RDS and Redshift databases that are open to the world based on Network Access graph analysis. Typically databases should not be exposed publicly, but rather through other services or bastion hosts.
- Resources Allowing Inbound SSH Connection: shows network resources that are attached to a security group with ingress traffic of port 22 (SSH). Resources with SSH access are more exposed to attack than a locked down resource.
- Inactive Elastic Load Balancers: shows live load balancers that have no EC2 instances attached to them. Cleaning up these services lowers exposure.
- NACL is not attached to subnets: shows Network ACLs that are not attached to a subnet based on connection graphs.