list_open_security_groups
Identify AWS security groups with open ports to the public internet. Check for ingress from 0.0.0.0/0 on specified ports to assess security exposure.
Instructions
Lists security groups that allow ingress from 0.0.0.0/0 on specified ports (default: 22, 3389).
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| ports | No | List of ports to check (default: [22, 3389]). |
Implementation Reference
- src/index.ts:1620-1658 (handler)Handler function that lists EC2 security groups allowing ingress from 0.0.0.0/0 on specified ports (default checks for any, or specific ports like 22/3389). Filters using DescribeSecurityGroupsCommand with CIDR filter, then checks IpPermissions for open ranges.
if (name === "list_open_security_groups") { const checkPorts = (args as any)?.ports; // If undefined, we check for ANY open port // If user specifically requests some ports, use them. If checksPorts is undefined/empty, means "any port". // But if user passes [], it might mean "any" or "none". Let's assume undefined means "any". const checkSpecificPorts = checkPorts && checkPorts.length > 0; const command = new DescribeSecurityGroupsCommand({ Filters: [{ Name: "ip-permission.cidr", Values: ["0.0.0.0/0"] }] }); const response = await ec2Client.send(command); const openSGs = response.SecurityGroups?.filter(sg => { return sg.IpPermissions?.some(perm => { const isGlobal = perm.IpRanges?.some(r => r.CidrIp === "0.0.0.0/0"); if (!isGlobal) return false; if (!checkSpecificPorts) return true; // If we aren't filtering by specific ports, then ANY 0.0.0.0/0 is a match. // Check if it overlaps with checked ports or is all traffic if (perm.IpProtocol === "-1") return true; // All traffic const fromPort = perm.FromPort || 0; const toPort = perm.ToPort || 65535; return checkPorts.some((p: number) => p >= fromPort && p <= toPort); }); }).map(sg => ({ GroupId: sg.GroupId, GroupName: sg.GroupName, Description: sg.Description, OpenPorts: sg.IpPermissions?.filter(perm => perm.IpRanges?.some(r => r.CidrIp === "0.0.0.0/0") && (!checkSpecificPorts || perm.IpProtocol === "-1" || checkPorts.some((p: number) => p >= (perm.FromPort || 0) && p <= (perm.ToPort || 65535))) ).map(p => p.IpProtocol === "-1" ? "All" : `${p.FromPort}-${p.ToPort}`) })) || []; return { content: [{ type: "text", text: JSON.stringify(openSGs, null, 2) }] }; } - src/index.ts:417-430 (registration)Tool registration in the ListToolsRequestSchema handler, including name, description, and input schema definition.
{ name: "list_open_security_groups", description: "Lists security groups that allow ingress from 0.0.0.0/0 on specified ports (default: 22, 3389).", inputSchema: { type: "object", properties: { ports: { type: "array", items: { type: "number" }, description: "List of ports to check (default: [22, 3389])." } } } }, - src/index.ts:420-430 (schema)Input schema for the list_open_security_groups tool, defining optional ports array.
inputSchema: { type: "object", properties: { ports: { type: "array", items: { type: "number" }, description: "List of ports to check (default: [22, 3389])." } } } },