# Security groups that contain 0.0.0.0/0 rules
aws ec2 describe-security-groups –filters Name=ip-permission.cidr,Values=0.0.0.0/0 –output=text | grep SECURITYGROUPS
# Security groups for ElasticSearch
aws ec2 describe-security-groups –filters Name=ip-permission.from-port,Values=9200 –output=text | grep SECURITYGROUPS
# Search last 10,000/1MB of CloudTrail logs for ‘AccessDenied’ (removed AWS account number from stream name)
aws logs get-log-events –log-group-name CloudTrail/DefaultLogGroup –log-stream-name 000000000000_CloudTrail_eu-west-1 | grep AccessDenied
# Get number of AWS API calls in time period (assumes a Cloudwatch Logs ‘catch-all’ filter and metric has been created against CloudTrail logs)
aws cloudwatch get-metric-statistics –namespace LogMetrics –metric-name AllApiCallsCount –period 60 –statistics Sum –start-time 2015-04-15T13:40:00 –end-time 2015-04-15T13:55:00
# Security groups with particular name
aws ec2 describe-security-groups –filters Name=group-name,Values=*external* –output=text | grep SECURITYGROUPS
# Instance IDs on known subnet ranges
aws ec2 describe-instances –filters Name=“private-ip-address”,Values=“10.100.1.*”,“10.100.2.*” –query “Reservations[*].Instances[*].InstanceId”
# Count instance types
aws ec2 describe-instances –query ‘Reservations[*].Instances[*].InstanceType’ –output=text | sort | uniq -c | sort -r
# ELB summaries
aws elb describe-load-balancers –query ‘LoadBalancerDescriptions[*].{Name:DNSName,Instances:Instances[*],SecurityGroups:SecurityGroups[*],Listeners:ListenerDescriptions[*].Listener.LoadBalancerPort}’
# Elastic IP summaries
aws ec2 describe-addresses –query “Addresses[*].{PublicIp:PublicIp,InstanceId:InstanceId}”
# Show scheduled events
aws ec2 describe-instance-status –filters Name=event.code,Values=instance-reboot,system-reboot,system-maintenance,instance-retirement,instance-stop –query “InstanceStatuses[*].{InstanceId:InstanceId,Event:[Events[*].Code,Events[*].NotBefore,Events[*].Description]}”
# Show last 10 security group ingress changes
aws cloudtrail lookup-events –lookup-attributes AttributeKey=EventName,AttributeValue=AuthorizeSecurityGroupIngress –max-results 10
# Show IDs and names of instances in specified subnets
aws ec2 describe-instances –filters Name=“subnet-id”,Values=“subnet-<id>”,“subnet-<id>” \
–query “Reservations[*].Instances[*].{InstanceId:InstanceId,SubnetId:SubnetId,Tags:[Tags[*].Value],PrivateIpAddress:PrivateIpAddress,\
PublicIpAddress:PublicIpAddress,SecurityGroupNames:[SecurityGroups[*].GroupName],SecurityGroupIds:[SecurityGroups[*].GroupId]}”
