Audit Your VPC: Find Accidentally Public Subnets with Python

1 / 2

Audit Your VPC: Find Accidentally Public Subnets with Python

DEV Community·Naveen Karasu·about 1 month ago

#30q68RWh

#aws #security #python #cloud #route #subnets

Reading 0:00

15s threshold

Day 5: Find Accidentally Public Subnets The most common VPC misconfiguration is not a bad security group rule -- it is a subnet using the main route table when it should not be. Subnets without an explicit route table association inherit the VPC's main route table . If that table has an Internet Gateway route, those subnets are public whether you intended it or not. Here is a quick AWS CLI audit: # Get main route table for your VPC MAIN_RT = $( aws ec2 describe-route-tables \ --filters Name = vpc-id,Values = vpc-0abc123 \ Name = association.main,Values = true \ --query 'RouteTables[0].RouteTableId' --output text ) # Check if main RT has IGW route aws ec2 describe-route-tables \ --route-table-ids $MAIN_RT \ --query 'RouteTables[0].Routes[?GatewayId!=`local`]' # Find subnets with no explicit RT association aws ec2 describe-subnets \ --filters Name = vpc-id,Values = vpc-0abc123 \ --query 'Subnets[].SubnetId' --output text | tr '\t' '\n' | while read SID ; do ASSOC = $( aws ec2 describe-route-tables \ --filters…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

Audit Your VPC: Find Accidentally Public Subnets with Python