website logo
HomeGithubSlack
⌘K
Overview
Quick Start
Supported Services
Running CloudGraph in EKS
Compliance
Rules Engine
AWS
Querying AWS Data
AWS Policy Packs
Billing Data
Services
Azure
Querying Azure Data
Azure Policy Packs
Services
GCP
Querying GCP Data
GCP Policy Packs
Services
K8s
Querying Kubernetes Data
Services
Docs powered by
Archbee
AWS
Services

Security Group

18min

Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.

Overview

You can currently query the following attributes and connections on an AWS Security Group:

GraphQL
|
query {
  queryawsSecurityGroup {
    id
    accountId
    arn
    name
    vpcId
    description
    tags {
      id
      key
      value
    }
    owner
    default
    inboundRules {
      id
      # Other fields and connections here...
    }
    outboundRules {
      id
      # Other fields and connections here...
    }
    inboundRuleCount
    outboundRuleCount
    alb {
      arn
      # Other fields and connections here...
    }
    lambda {
      arn
      # Other fields and connections here...
    }
    elb {
      arn
      # Other fields and connections here...
    }
    ec2Instance {
      arn
      # Other fields and connections here...
    }
    asg {
      arn
      # Other fields and connections here...
    }
    rdsCluster {
      arn
      # Other fields and connections here...
    }
    rdsDbInstance {
      arn
      # Other fields and connections here...
    }
  }
}


Filtering

Get data for a single AWS Security Group that you know the ID for:

GraphQL
|
query {
  getawsSecurityGroup(id: "12345") {
    arn
    # Other fields and connections here...
  }
}


Get data for a single Security Group that you know the ARN for:

GraphQL
|
query {
  getawsSecurityGroup(arn: "arn:12345") {
    arn
    # Other fields and connections here...
  }
}


Get data for all of the Security Groups in a certain AWS account:

GraphQL
|
query {
  queryawsSecurityGroup(filter: { accountId: { eq: "12345" } }) {
    arn
    # Other fields and connections here...
  }
}

# Note that in addition to "accountId" you can
# Filter based on any of the following attributes:

# id
# arn
# name
# vpcId
# description // can use fulltext filters
# owner
# default
# inboundRuleCount
# outboundRuleCount

# And the following Dgraph filters can also be applied:

# has
# and
# or
# not
# regexp (regular expressions)

# fulltext filters

# alloftext
# anyoftext


Get data for all of the Security Groups that are NOT in a certain AWS account:

GraphQL
|
query {
  queryawsSecurityGroup(filter: { not: { accountId: { eq: "12345" } } }) {
    arn
    # Other fields and connections here...
  }
}


Advanced Filtering

Get data for all of the Security Groups that have EC2 Instances in them:

GraphQL
|
query {
  queryawsSecurityGroup(filter: { has: ec2Instance }) {
    arn
    # Other fields and connections here...
  }
}

# Note that in addition to "ec2Instance" you can filter
# Using "has" based on any of the following attributes:

# id
# accountId
# arn
# name
# vpcId
# description
# tags
# owner
# default
# inboundRules
# outboundRules
# inboundRuleCount
# outboundRuleCount
# alb
# lambda
# elb
# ec2Instance
# asg
# rdsCluster
# rdsDbInstance


Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the Security Groups that have Lambdas AND RDS DB Instances associated with them OR that do not have ALBs associated in them. Note that you can use has, and, not, or completely independently of each other:

GraphQL
|
query {
  queryawsSecurityGroup(
    filter: {
      has: lambda
      and: { has: rdsDbInstance }
      or: { not: { has: alb } }
    }
  ) {
    arn
    # Other fields and connections here...
  }
}


You may also filter using a regex when filtering on a string field like, description if you want to look for a value that matches say, production (case insensitive):

GraphQL
|
query {
  queryawsSecurityGroup(
    filter: { description: { regexp: "/.*production.*/i" } }
  ) {
    arn
    # Other fields and connections here...
  }
}


Ordering

You can order the results you get back either asc or desc depending on your preference:

GraphQL
|
query {
  queryawsSecurityGroup(order: { desc: vpcId }) {
    vpcId
    # Other fields and connections here...
  }
}

# Note that in addition to "vpcId" you can filter
# Using "asc" or "desc" based on any of the following attributes:

# id
# accountId
# arn
# name
# description
# owner
# inboundRuleCount
# outboundRuleCount


Only select and return the first two Security Groups that are found:

GraphQL
|
query {
  queryawsSecurityGroup(first: 2, order: { desc: vpcId }) {
    vpcId
    # Other fields and connections here...
  }
}


Only select and return the first two Security Groups that are found, but offset by one so Security Groups two & three are returned:

GraphQL
|
query {
  queryawsSecurityGroup(first: 2, order: { desc: vpcId }, offset: 1) {
    arn
    # Other fields and connections here...
  }
}


Aggregation

Count the number of Security Groups across all scanned AWS accounts:

GraphQL
|
query {
  aggregateawsSecurityGroup {
    count
    # Other fields and connections here...
  }
}

# Note that in addition to "count" you can request the
# Following min and max values based on attributes of your Security Groups:

# idMin
# idMax
# accountIdMin
# accountIdMax
# arnMin
# arnMax
# nameMin
# nameMax
# vpcIdMin
# vpcIdMax
# descriptionMin
# descriptionMax
# ownerMin
# ownerMax
# inboundRuleCountMin
# inboundRuleCountMax
# inboundRuleCountSum
# inboundRuleCountAvg
# outboundRuleCountMin
# outboundRuleCountMax
# outboundRuleCountSum
# outboundRuleCountAvg


Count the number of Security Groups in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:

GraphQL
|
query {
  aggregateawsSecurityGroup(filter: { accountId: { eq: "12345" } }) {
    count
    # Other fields and connections here...
  }
}


Examples

Get all of the Security Groups in VPC 12345:

GraphQL
|
query {
  queryawsSecurityGroup(filter: { vpcId: { eq: "12345" } }) {
    id
    # Other fields and connections here...
  }
}


Find all of the Security Groups that have a tag of Environment:Production for a single AWS Account:

GraphQL
|
query {
  queryawsTag(
    filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
  ) {
    securityGroups(filter: { accountId: { eq: "12345" } }) {
      arn
      # Other fields and connections here...
    }
  }
}


With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:

GraphQL
|
query {
  queryawsSecurityGroup(filter: { vpcId: { eq: "12345" } }) {
    id
    # Other fields and connections here...
  }
  queryawsTag(
    filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
  ) {
    securityGroups(filter: { accountId: { eq: "12345" } }) {
      arn
      # Other fields and connections here...
    }
  }
}


Kitchen Sink

Putting it all together; get all data for all Security Groups across all regions for all scanned AWS accounts in a single query. For the purposes of this example we will only get direct children of the Security Groups but if you want to it's easy to go from say, Security Group -> ALB -> EC2 -> EBS...etc:

GraphQL
|
query {
  queryawsSecurityGroup {
    id
    accountId
    arn
    name
    vpcId
    description
    tags {
      id
      key
      value
    }
    owner
    default
    inboundRules {
      id
      description
      portRange
      protocol
      source
      userId
      groupName
      peeringStatus
    }
    outboundRules {
      id
      description
      destination
      portRange
      protocol
      userId
      groupName
      peeringStatus
    }
    inboundRuleCount
    outboundRuleCount
    alb {
      id
      accountId
      arn
      dnsName
      scheme
      type
      subnets
      hostedZone
      defaultVpc
      ipAddressType
      idleTimeout
      deletionProtection
      http2
      accessLogsEnabled
      dropInvalidHeaderFields
      createdAt
      status
      tags {
        id
        key
        value
      }
      securityGroups {
        arn
        # Other fields and connections here...
      }
      ec2Instance {
        arn
        # Other fields and connections here...
      }
      vpc {
        arn
        # Other fields and connections here...
      }
      route53Record {
        id
        # Other fields and connections here...
      }
      listeners {
        arn
        # Other fields and connections here...
      }
      subnet {
        arn
        # Other fields and connections here...
      }
    }
    lambda {
      id
      accountId
      arn
      description
      handler
      kmsKeyArn
      lastModified
      memorySize
      reservedConcurrentExecutions
      role
      runtime
      sourceCodeSize
      timeout
      tracingConfig
      version
      environmentVariables {
        id
        key
        value
      }
      tags {
        id
        key
        value
      }
      kms {
        arn
        # Other fields and connections here...
      }
      securityGroups {
        arn
        # Other fields and connections here...
      }
      subnet {
        arn
        # Other fields and connections here...
      }
      vpc {
        arn
        # Other fields and connections here...
      }
      cognitoUserPool {
        arn
        # Other fields and connections here...
      }
    }
    elb {
      id
      accountId
      arn
      dnsName
      hostedZone
      createdAt
      type
      status
      scheme
      vpcId
      sourceSecurityGroup {
        groupName
        # Other fields and connections here...
      }
      securityGroupsIds
      subnets
      accessLogs
      crossZoneLoadBalancing
      idleTimeout
      instances {
        id
        # Other fields and connections here...
      }
      healthCheck {
        target
        # Other fields and connections here...
      }
      listeners {
        id
        # Other fields and connections here...
      }
      tags {
        id
        key
        value
      }
      cloudfrontDistribution {
        arn
        # Other fields and connections here...
      }
      securityGroups {
        arn
        # Other fields and connections here...
      }
      vpc {
        arn
        # Other fields and connections here...
      }
      route53Record {
        id
        # Other fields and connections here...
      }
      subnet {
        arn
        # Other fields and connections here...
      }
    }
    ec2Instance {
      id
      accountId
      arn
      region
      ami
      tenancy
      elasticIps
      publicDns
      privateDns
      monitoring
      privateIps
      keyPair {
        id
        name
        fingerprint
      }
      cpuCoreCount
      hibernation
      ebsOptimized
      ipv4PublicIp
      instanceType
      ipv6Addresses
      placementGroup
      instanceState
      sourceDestCheck
      availabilityZone
      cpuThreadsPerCore
      iamInstanceProfile
      deletionProtection
      dailyCost {
        cost
        currency
        formattedCost
      }
      primaryNetworkInterface
      metadataOptions {
        state
        # Other fields and connections here...
      }
      metadatasecurityGroupIdsOptions
      securityGroupIds
      ephemeralBlockDevices {
        deviceName
        # Other fields and connections here...
      }
      tags {
        id
        key
        value
      }
      alb {
        arn
        # Other fields and connections here...
      }
      asg {
        arn
        # Other fields and connections here...
      }
      ebs {
        arn
        # Other fields and connections here...
      }
      eip {
        arn
        # Other fields and connections here...
      }
      networkInterfaces {
        arn
        # Other fields and connections here...
      }
      securityGroups {
        arn
        # Other fields and connections here...
      }
      subnet {
        arn
        # Other fields and connections here...
      }
    }
    asg {
      id
      accountId
      arn
      name
      region
      launchConfigurationName
      launchTemplateId
      launchTemplateName
      launchTemplateVersion
      mixedInstancesPolicy {
        launchTemplateId
        # Other fields and connections here...
      }
      minSize
      maxSize
      desiredCapacity
      predictedCapacity
      cooldown
      availabilityZones
      loadBalancerNames
      targetGroupARNs
      healthCheckType
      healthCheckGracePeriod
      ec2InstanceIds
      suspendedProcesses {
        id
        # Other fields and connections here...
      }
      placementGroup
      vpcZoneIdentifier
      enabledMetrics {
        id
        # Other fields and connections here...
      }
      status
      terminationPolicies
      newInstancesProtectedFromScaleIn
      serviceLinkedRoleARN
      maxInstanceLifetime
      capacityRebalanceEnabled
      warmPoolConfigMaxGroupPreparedCapacity
      warmPoolConfigMinSize
      warmPoolConfigPoolState
      warmPoolConfigStatus
      warmPoolSize
      context
      tags {
        id
        key
        value
      }
      launchConfiguration {
        imageId
        # Other fields and connections here...
      }
      ec2Instance {
        arn
        # Other fields and connections here...
      }
      securityGroups {
        arn
        # Other fields and connections here...
      }
      ebs {
        arn
        # Other fields and connections here...
      }
      subnet {
        arn
        # Other fields and connections here...
      }
    }
    rdsCluster {
      id
      accountId
      arn
      allocatedStorage
      backupRetentionPeriod
      characterSetName
      databaseName
      dbClusterIdentifier
      subnets
      status
      percentProgress
      readerEndpoint
      multiAZ
      engine
      engineVersion
      port
      username
      replicationSourceIdentifier
      hostedZoneId
      encrypted
      kmsKey
      resourceId
      iamDbAuthenticationEnabled
      cloneGroupId
      createdTime
      capacity
      engineMode
      deletionProtection
      httpEndpointEnabled
      copyTagsToSnapshot
      crossAccountClone
      tags {
        id
        key
        value
      }
      globalWriteForwardingRequested
      instances {
        arn
        # Other fields and connections here...
      }
      securityGroups {
        arn
        # Other fields and connections here...
      }
    }
    rdsDbInstance {
      id
      accountId
      arn
      name
      port
      address
      hostedZoneId
      username
      resourceId
      engine
      engineVersion
      createdTime
      copyTagsToSnapshot
      deletionProtection
      dBInstanceIdentifier
      performanceInsightsEnabled
      autoMinorVersionUpgrade
      iamDbAuthenticationEnabled
      optionsGroups
      parameterGroup
      storageType
      instanceClass
      allocatedStorage
      multiAZ
      subnetGroup
      availabilityZone
      publiclyAccessible
      certificateAuthority
      status
      failoverPriority
      kmsKey
      encrypted
      tags {
        id
        key
        value
      }
      cluster {
        arn
        # Other fields and connections here...
      }
      securityGroups {
        arn
        # Other fields and connections here...
      }
      subnet {
        arn
        # Other fields and connections here...
      }
      vpc {
        arn
        # Other fields and connections here...
      }
    }
  }
}



References

Dgraph documentation on querying

AWS Security Group documentation

Updated 03 Mar 2023
Did this page help you?
PREVIOUS
S3
NEXT
Subnet
Docs powered by
Archbee
TABLE OF CONTENTS
Overview
Filtering
Advanced Filtering
Ordering
Aggregation
Examples
Kitchen Sink
References
Docs powered by
Archbee