AWS Security Groups

Import AWS Security Group configurations exported with the AWS CLI. netbobr parses inbound and outbound rules, extracting source/destination CIDRs, protocols, and port ranges for compliance analysis.

Export Commands

# Export all security groups
aws ec2 describe-security-groups > security-groups.json

# Export a specific security group
aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0 > sg.json

# Export with filters (e.g., by VPC)
aws ec2 describe-security-groups --filters "Name=vpc-id,Values=vpc-abc123" > vpc-sgs.json

Supported JSON Shapes

netbobr accepts three JSON structures:

Full describe-security-groups output -- the standard AWS CLI response with a SecurityGroups array wrapper
Array of security group objects -- a JSON array containing one or more security group objects
Single security group object -- a single object with IpPermissions and/or IpPermissionsEgress

Example

A minimal security group with one inbound and one outbound rule:

{
  "SecurityGroups": [
    {
      "GroupName": "web-servers",
      "GroupId": "sg-0abc0001",
      "Description": "Security group for web services",
      "IpPermissions": [
        {
          "IpProtocol": "tcp",
          "FromPort": 443,
          "ToPort": 443,
          "IpRanges": [
            { "CidrIp": "10.0.0.0/8", "Description": "HTTPS from internal" }
          ]
        }
      ],
      "IpPermissionsEgress": [
        {
          "IpProtocol": "tcp",
          "FromPort": 80,
          "ToPort": 80,
          "IpRanges": [
            { "CidrIp": "0.0.0.0/0", "Description": "HTTP outbound" }
          ]
        }
      ]
    }
  ]
}

This produces two flows:

Inbound: 10.0.0.0/8 -> 0.0.0.0/0 TCP 443
Outbound: 0.0.0.0/0 -> 0.0.0.0/0 TCP 80

Parser Behavior

AWS Rule Type	Source	Destination	Notes
Inbound (`IpPermissions`)	`CidrIp` value	`0.0.0.0/0`	SGs only have source CIDR for inbound
Outbound (`IpPermissionsEgress`)	`0.0.0.0/0`	`CidrIp` value	SGs only have destination CIDR for outbound

Protocol -1 (all traffic) maps to ANY with port range 0-65535
Port ranges are preserved as FromPort-ToPort notation (e.g., 8000-9000)
Single ports where FromPort equals ToPort are rendered as a single number (e.g., 443)
Metadata includes the security group name, group ID, description, and direction for each parsed flow

Limitations and Warnings

Security group references

Rules that reference other security groups (UserIdGroupPairs) cannot be resolved to CIDR blocks. These rules generate a warning and are skipped:

Security group reference sg-0abc1234 in web-servers cannot be resolved to CIDR -- skipped

To include these flows, find the CIDR ranges associated with the referenced security group and create equivalent CIDR-based rules, or add them manually in netbobr.

IPv6 ranges

IPv6 CIDR ranges (Ipv6Ranges) are skipped with a warning. netbobr currently only supports IPv4 addresses.

VPC prefix lists

Rules referencing VPC prefix lists (PrefixListIds) are skipped with a warning since prefix lists cannot be resolved to CIDRs without additional AWS API calls.

Tier 2 rules (both-specific source AND destination)

AWS Security Groups inherently express rules with only one specific CIDR -- the source (for inbound) or the destination (for outbound). The other side is always implied as "the resource the SG is attached to." This means AWS SGs always have 0% Tier 2 accuracy (rules requiring both a specific source and destination CIDR).

Accuracy

Metric	Value
CLI match rate	76.5% (306/400)
Browser match rate	76.5% (306/400)
Tier 1 accuracy	87.9% (306/348)
Tier 2 accuracy	0% (0/40) -- expected gap
Field accuracy	100% (risk score, risk level, verdict)

The 76.5% match rate reflects two expected gaps:

40 Tier 2 flows that require both specific source and destination CIDRs (AWS SGs cannot express this)
42 Tier 1 flows involving protocol ANY with full port ranges, where AWS protocol -1 semantics differ from CSV baseline representation

When a flow does match, risk scores, risk levels, and verdicts are identical to the CSV baseline (100% field accuracy).

Troubleshooting

No flows parsed

Verify the JSON file has a SecurityGroups key (standard AWS CLI output) or is an array of security group objects. A common mistake is exporting EC2 instance descriptions instead of security groups -- look for IpPermissions in the JSON structure.

Missing rules

Check if rules use security group references instead of CIDR blocks. These appear as warnings in the import results banner. Rules referencing UserIdGroupPairs, Ipv6Ranges, or PrefixListIds are skipped.

Protocol shows as a number

This is expected for non-standard IP protocols. TCP (6), UDP (17), ICMP (1), and -1 (all traffic) are mapped to named protocols. Other protocol numbers are passed through as-is.

Fewer flows than expected

Each CidrIp entry in IpRanges produces one flow. If a single rule has multiple CIDR ranges, they produce multiple flows. Rules with no IpRanges (only security group references) produce zero flows.

Usage

CLI:

npx @netbobr/cli analyze security-groups.json --cloud-format aws-sg

Browser: Drag and drop the .json file onto the import area. The format is auto-detected.

Azure NSG