Skip to content

AWS Network#

Version: 1.0.1 · Category: AWS Cloud Security · Plan: Base+

A comprehensive AWS network security integration covering VPC topology, internet exposure paths, flow log analysis, security group auditing, IP ownership lookup, and WAF configuration.

Tools#

list_vpcs — VPC list#

List all VPCs in the account, including:

  • CIDR block
  • DNS support and hostname configuration
  • Tags

list_subnets — Subnet list#

List all subnets, including:

  • CIDR block and available IP count
  • Whether it is a public subnet (MapPublicIpOnLaunch)
  • VPC ID and Availability Zone

list_internet_gateways — Internet gateway list#

List all Internet Gateways (IGW) and the VPCs they are attached to.

list_nat_gateways — NAT gateway list#

List all NAT Gateways with state, public IP, and subnet information.

list_route_tables — Route table list#

List all route tables and their routes, identifying entries pointing to IGW (internet exit paths).

analyze_network_exposure — Network exposure analysis#

Comprehensive analysis of the full internet exposure path for a target resource:

  • Connected VPC and subnet
  • Whether it is in a public subnet
  • Security group internet-accessible rules
  • NACL rules
  • Route table paths to IGW

get_flow_logs — Flow log list#

List enabled VPC Flow Log configurations, including:

  • Target resource (VPC / Subnet / ENI)
  • Log delivery destination (CloudWatch / S3 / Kinesis)
  • Traffic direction (ACCEPT / REJECT / ALL)

analyze_flow_logs — Flow log analysis#

Query and analyze VPC Flow Logs stored in CloudWatch:

Parameter Description
log_group_name Flow log destination log group
start_time / end_time Time range
source_ip Filter by source IP
dest_ip Filter by destination IP
port Filter by destination port
action ACCEPT or REJECT

find_resource_by_ip — IP-to-resource mapping#

Look up which AWS resource a given IP address belongs to:

  • EC2 instance
  • ENI (Elastic Network Interface)
  • Load Balancer
  • NAT Gateway
  • VPN endpoint

Supports both public and private IP addresses.

list_security_groups — Security group list#

List all security groups with full ingress/egress rule details, including CIDR ranges and referenced security group IDs.

analyze_security_group_rules — Security group rule analysis#

Deep analysis of overly permissive security group rules:

  • Ingress from 0.0.0.0/0 or ::/0
  • High-risk port exposure (22/3389/0-65535)
  • Egress allow all rules

list_waf_acls — WAF ACL list#

List all AWS WAF WebACLs:

  • Scope: REGIONAL or CLOUDFRONT
  • Default action (ALLOW/BLOCK)
  • Number of rules and metrics configuration

get_waf_acl — WAF ACL details#

Retrieve the full rule set for a specific WAF WebACL.

Configuration#

Item Description
AWS_ACCESS_KEY_ID Access Key ID
AWS_SECRET_ACCESS_KEY Secret Access Key
AWS_DEFAULT_REGION Default region (e.g. us-east-1)
AWS_SESSION_TOKEN Optional: temporary session token

Investigation workflow#

1. analyze_network_exposure resource_id:"i-xxxx"
   → Check the full internet exposure path for a suspicious instance

2. find_resource_by_ip ip:"<suspicious IP>"
   → Identify which AWS resource an IP belongs to

3. analyze_flow_logs
   log_group_name:"/aws/vpc/flowlogs"
   source_ip:"<attacker IP>" action:"ACCEPT"
   → Find all connections from an attacker IP that were accepted

4. analyze_security_group_rules
   → Discover which security groups expose high-risk ports to the internet

5. list_waf_acls
   get_waf_acl acl_id:"<id>"
   → Review WAF rule coverage