-1

I'm hoping there is a solution for this that I just haven't been able to find in my searches, but here is my problem.

I want to scan my security groups and identify any CIDRs that are overlapping. For example, if I have 1.2.3.4/32 and 1.2.3.0/24 I want to identify both of those, because the /32 is obviously a part of the /24. If I had 1.2.3.4/6,7,8,9 I would want to identify those as well as they are all part of the /24.

If this were a couple of security groups I could perform manually but I'm having to run this exercise on 100s of security groups with hundreds of rules.

user3299633
  • 2,971
  • 3
  • 24
  • 38

2 Answers2

1

First, extract the CIDR blocks. Then, in Python, use either the ipaddr library or the ipconflict library to check for overlaps. For example, with ipaddr, you can call the overlaps function, and with ipconflict you can call ipconflict.

Here is an example of a similar question with a number of relevant answers: Check if two CIDR addresses intersect?

jtoberon
  • 8,706
  • 1
  • 35
  • 48
0

Stop the bleeding

Consider using ACLs if you are wanting to implement traffic security between different sets of IPs, hopefully these are grouped into different Subnets. Manually having to go through many different security groups sounds wrong, instead get the correct level of fine-grain or coarse level security expressions.

Avoid using CIDR ip expressions for ips which reside in your own VPC. Rather reference other security groups in a given security group, and if VPC subnets should be sectioned off from one another, use ACLs. Enable VPC flow logs to debug any issues which could occur. Otherwise this will become unmanageable, which it kind of sounds like it may already be.

Derrops
  • 7,651
  • 5
  • 30
  • 60