AWS CLI: Describe Network ACLs

Question

I am having a bit of an issue with this command. I am trying to list out only the egress ACL rules, and just the rule number. So this is my command:

aws ec2 describe-network-acls --network-acl-ids acl-c324a5a4 --output text --query 'NetworkAcls[*].Entries[*].{RN:RuleNumber}' --filter Name=entry.rule-action,Values=allow Name=entry.egress,Values=true

The return of this is:

It is basically listing both egress and ingress rules. The egress and ingress rules have the same rule number. It also lists the *DENY rule (32767), I would also like to avoid that.

Can anyone help me with this command where I want to list out only egress rule numbers?

Thanks

score 3 · Accepted Answer · answered Jul 06 '17 at 08:53

3

so you want the Egress Rule Number which are allowed. You can do that using the following query:

aws ec2 describe-network-acls \
  --output text \
  --network-acl-ids acl-c324a5a4 \
  --query 'NetworkAcls[*].Entries[?(RuleAction==`allow` && Egress==`true`)].{RN:RuleNumber}'

You can read more about Controlling Command Output from the AWS Command Line Interface

answered Jul 06 '17 at 08:53

Frederic Henri

51,761
10
113
139

Right, so that's how you do it. Thanks very much! May I bother you with one last thing? How do I add to this query the Port Range? Say I have the rule on To and From port 20... how do I query for that specific port (including the allow && egress from before). Thanks! – Felipe Caldas Jul 06 '17 at 09:17
2

Actually, no need. I should've tried before asking you for more help. Only had to do this: PortRange.To==`20` – Felipe Caldas Jul 06 '17 at 09:22

score 1 · Answer 2 · answered Jul 06 '17 at 09:18

1

With the help of awk and grep we can get the list of the only Egress rules as shown below.

aws ec2 describe-network-acls --network-acl-ids acl-63092b1a  --query 'NetworkAcls[*].Entries[*].[Egress,RuleNumber]' --output text | grep -v False | awk {'print $2'} | grep -v '^$\|^\s*\#'

To filter results by the value of a specific field, use the JMESPath "?" operator. The following example query outputs only volumes in the us-west-2a availability zone:

$ aws ec2 describe-volumes --query 'Volumes[?AvailabilityZone==`us-west-2a`]'

For More Information please go through this article

answered Jul 06 '17 at 09:18

sudheerchamarthi

1,081
8
13

2

Nice idea, using awk. Thanks. But you will probably agree with me that leveraging the correct using of the query string it looks much more professional - what do you think? – Felipe Caldas Jul 06 '17 at 09:52
I agree with you @FelipeCaldas – sudheerchamarthi Jul 06 '17 at 10:21
Agreed... Minimizing technologies involved has many benefits - maintainability, security, host resource needs, etc. – GaTechThomas Jun 27 '22 at 13:21

AWS CLI: Describe Network ACLs

2 Answers2