Back to Cookbook

Firewall Janitor

Find the 0.0.0.0/0 rule that was "temporary" 3 years ago

Audits AWS security groups and K8s network policies for overly permissive rules, unused rules, and conflicts. Cross-references VPC Flow Logs to identify rules that are never hit and can be safely removed.

House RecipeWork3 min

INGREDIENTS

🐙GitHub💬Slack

PROMPT

Create a skill called "Firewall Janitor". Audit security groups and network policies: For AWS security groups: 1. List all security groups and their rules across specified VPCs 2. Flag overly permissive rules: 0.0.0.0/0 inbound, wide port ranges (0-65535), any protocol 3. If VPC Flow Logs are available, identify rules with zero hits in the last 30 days 4. Find duplicate or overlapping rules and detached security groups 5. Detect security groups not attached to any resource For Kubernetes NetworkPolicies: 1. Identify namespaces with no NetworkPolicies (all traffic allowed by default) 2. Check for policies that don't match any pods (selector mismatch) 3. Verify that expected connectivity matches actual policy Generate a cleanup plan with: - Risk level for each change (removing a rule that has zero flow log hits = low risk) - Exact AWS CLI or kubectl commands to apply changes - Terraform resources if managing as code

How It Works

Security groups accumulate cruft like barnacles. Temporary rules become

permanent, nobody removes rules for decommissioned services, and over

time you end up with a tangle nobody dares touch. This skill makes

cleanup safe.

What You Get

  • Full security group inventory with rule analysis
  • Overly permissive rules flagged (0.0.0.0/0, wide port ranges, any-any)
  • Unused rules identified via VPC Flow Logs cross-reference
  • Duplicate and overlapping rules detected
  • K8s NetworkPolicy audit for completeness and correctness
  • Safe cleanup plan with exact changes and risk assessment

Setup Steps

  1. Ensure your Claw has AWS CLI access with read permissions
  2. Enable VPC Flow Logs if not already (for unused rule detection)
  3. Run the audit and review findings
  4. Apply the cleanup plan starting with the lowest-risk changes

Tips

  • Start by finding 0.0.0.0/0 inbound rules — these are the highest risk
  • VPC Flow Logs are the key to safely identifying unused rules
  • Don't just delete unused rules — some are for disaster recovery paths
  • Generate Terraform for your security groups to manage them as code going forward
  • Check both inbound AND outbound rules — egress is often overlooked
Tags:#security#networking#aws#devops