AWS CLI

find publc facing resources

Certainly! Below is a breakdown of what to look for in the output of each CLI command to determine whether a resource is public-facing:

1. EC2 Instances with Public IP Addresses

aws ec2 describe-instances --query 'Reservations[*].Instances[?PublicIpAddress!=null].[InstanceId,PublicIpAddress]' --output table

	•	Look for: The PublicIpAddress field. If an EC2 instance has a public IP address, it is public-facing.

2. Elastic Load Balancers (ALB, NLB) with Internet-Facing Access

aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme==`internet-facing`].[LoadBalancerArn, DNSName]' --output table

	•	Look for: The Scheme field being internet-facing. This indicates the load balancer is public-facing.

3. CloudFront Distributions

aws cloudfront list-distributions --query 'DistributionList.Items[].[Id, DomainName]' --output table

	•	Look for: The DomainName. All CloudFront distributions are public-facing by default, so list all domain names.

4. S3 Buckets with Public Access

aws s3api list-buckets --query 'Buckets[*].Name' --output text | while read bucket; do aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' --output table; done

	•	Look for: Any Grantee.URI matching http://acs.amazonaws.com/groups/global/AllUsers or AuthenticatedUsers. If present, the bucket is publicly accessible.

5. API Gateway Endpoints with Public Access

aws apigateway get-rest-apis --query 'items[*].[id,name]' --output table

	•	Look for: API Gateway REST APIs are public by default, so list all available REST API IDs and names. Confirm if they are publicly accessible based on security configurations.

6. Amazon RDS Instances with Public Access

aws rds describe-db-instances --query 'DBInstances[?PubliclyAccessible==`true`].[DBInstanceIdentifier,Endpoint.Address]' --output table

	•	Look for: The PubliclyAccessible field. If it is true, the RDS instance is public-facing.

7. Elastic IP Addresses

aws ec2 describe-addresses --query 'Addresses[*].[InstanceId,PublicIp]' --output table

	•	Look for: The PublicIp field. Any Elastic IP addresses listed here are public-facing.

8. Amazon Lightsail Instances with Public IP

aws lightsail get-instances --query 'instances[*].[name,publicIpAddress]' --output table

	•	Look for: The publicIpAddress field. If a public IP address is assigned, the instance is public-facing.

9. AWS App Runner Services

aws apprunner list-services --query 'ServiceSummaryList[*].[ServiceName,ServiceArn,ServiceUrl]' --output table

	•	Look for: The ServiceUrl field. This is the public URL for each service, indicating that the service is publicly accessible.

10. AWS Global Accelerator

aws globalaccelerator list-accelerators --query 'Accelerators[*].[Name,IpSets[0].IpAddresses]' --output table

	•	Look for: The IpAddresses field. Any listed IP addresses are public-facing.

11. OpenSearch Service Domains (Public Endpoints)

aws opensearch describe-domain --domain-name <your-domain-name> --query 'DomainStatus.Endpoint'

	•	Look for: The Endpoint field. If an endpoint is returned, the OpenSearch domain is publicly accessible.

12. AWS Media Services (MediaConnect, MediaPackage, etc.)

aws mediaconnect list-flows --query 'Flows[*].[FlowArn,AvailabilityZone]' --output table

	•	Look for: Media services are often accessible to the public based on flow configurations. Check the availability zone and ensure any connected resources are publicly accessible.

13. AWS IoT Core Endpoints

aws iot describe-endpoint --output table

	•	Look for: The endpointAddress field. This field provides the public endpoint for your IoT core, indicating public access.

14. Amazon AppStream 2.0

aws appstream describe-fleets --query 'Fleets[*].[Name,Arn]' --output table

	•	Look for: Fleets in AppStream 2.0 with public access policies, depending on how they are deployed.

15. AWS Lambda with Public APIs (API Gateway)

aws lambda list-functions --query 'Functions[*].[FunctionName,FunctionArn]' --output table

	•	Look for: Lambda functions themselves are not public, but if they are exposed via API Gateway, check API Gateway configurations to confirm public access.

16. NAT Gateways in Public Subnets

aws ec2 describe-nat-gateways --query 'NatGateways[?VpcId!=null].[NatGatewayId,State,SubnetId]' --output table

	•	Look for: The SubnetId field. If the NAT Gateway is associated with a public subnet, it is publicly accessible.

17. Amazon WorkSpaces

aws workspaces describe-workspaces --query 'Workspaces[*].[WorkspaceId,IpAddress]' --output table

	•	Look for: The IpAddress field. If the WorkSpace has a public IP address, it is publicly accessible.

18. Amazon OpenSearch Service

aws opensearch list-domain-names --output table

	•	Look for: The domain names and their configurations. Ensure that the endpoints are not publicly accessible unless intended.

19. Amazon Route 53 Public Hosted Zones

aws route53 list-hosted-zones --query 'HostedZones[?Config.PrivateZone==`false`].[Id,Name]' --output table

	•	Look for: The PrivateZone field. If this is false, the hosted zone is public-facing.

20. Amazon App Runner (Public URLs)

aws apprunner list-services --query 'ServiceSummaryList[*].[ServiceName,ServiceUrl]' --output table

	•	Look for: The ServiceUrl field. This indicates that the service is public-facing.

21. Amazon EKS (Public API Server Endpoint)

aws eks describe-cluster --name <cluster-name> --query 'cluster.resourcesVpcConfig.endpointPublicAccess'

	•	Look for: The endpointPublicAccess field. If it is true, the EKS cluster’s API server is publicly accessible.

In each command, you’re looking for fields indicating public IP addresses, public access settings, or public URLs. You can automate these commands to flag any public-facing resources and take appropriate security measures like applying AWS Shield.