When VMware Secure State introduced the ability to create custom rules, we wondered what rules some of our customers would build. Would they build rules looking for specific ports being open on a security group? Would they seek some misconfiguration that mapped to an internal framework? Actually, as you will see below, we have seen a wide range of custom rules made by our customers.
Looking for some specific ports
One of the hardest tasks for security people is to find out which ports are open on their AWS security group. Looking at the lists of security group, per region, and trying to find a specific inbound port is not easy in AWS.
Being able to leverage the Explore feature of VMware Secure State, customers can find the specific open port they are looking for and create a rule based on that query. Below is an example of a rule looking for open port 5000 or 2379. As you can see, the IP range was not included in this search. All that was searched for was the ports. If you want to add the range variable, you can add it before the ip_permission object.
Now, what if you want to see if any EC2 instances have an external IP? VMware Secure State has predefined rules around public IPs open to the world from specific port. But, what about public instances that have IP restrictions. This was a customer ask.
This is the query they came up with:
ip_range HAS NOT (cidr_ip = "0.0.0.0/0") -> ip_permission -> security_group -> instance HAS NOT public_ip_address = "" -> vpc -> route_table -> route -> internet_gateway
This query is not really a security rule, it’s more of an inventory and visibility need. The query is looking for any security groups that do NOT have an IP range of 0.0.0.0 but are connected to an instance with a public IP. The statement instance HAS NOT public_ip_address = "" is basically looking for public IP value to be true, but we had to write it as a double negative.
Here is the result:
Visibility rules vs. security rules
With all of the data that VMware Secure State captures about your cloud accounts, you can see how one could leverage this data to find things that may not be security issues. One of customer had a great custom rule that they wrote. They wanted to be alerted whenever their elastic IP was assigned to a new instance. They just wanted to track the changes. The query is below.
address -> instance
Not that difficult. But, enabling this rule, and then turning on alerts for this rule allowed the customer to stay on top of their elastic IP allocation.
We're continuing to enhance and build VMware Secure State’s query language and ability to build custom rules. Go ahead and query! Find new ways to use the tool and let us know—we'd love to hear what interesting rules you come up with. You can find more information about the VMware Secure State query language here.