describe_ingress_path
Map an AWS instance's full ingress path from EC2 to WAF, revealing load balancers, listener rules, WebACL, and IP set protections. Determines if traffic goes through an ALB or directly to the instance.
Instructions
Map an AWS instance's ingress path in one call: instance → target group(s) → load balancer(s) → listeners/rules → associated WebACL → IP sets + rate-based rules, plus whether the box trusts forwarded client IPs (mod_remoteip / real_ip). Answers 'behind ALB or direct?', 'which WebACL fronts it?', 'is the WAF even attached?'. Returns partial results when IAM scope is incomplete. Read-only (boto3 elbv2/wafv2/ec2 Describe).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| region | No | AWS region override (defaults to the instance's region). | |
| verbose | No | Show every listener rule. Default false collapses to the rule(s) routing to this instance + a count of the rest. | |
| instance_id | Yes | AWS instance ID or name. | |
| check_remoteip | No | SSH to the box to detect mod_remoteip / real_ip trust (default true). |