Cloud Network Access Control Rule Review — Official Command Compilation (Azure NSG, AWS Security Group/NACL, GCP Firewall)
In a cloud environment, network access control rules, similar to on-premises firewalls, must be regularly reviewed. To help with this process, I have compiled official documentation, commands, and automation scripts for easier access and sharing.
The Chinese version of this article. : 雲端網路存取控制規則檢視-官方指令彙整(Azure NSG, AWS Security Group/NACL ,GCP Firewall) | 資安工作者的學習之路 (medium.com)
Environment
Considering security and environment requirements, the commands and scripts in this guide are designed to be executed directly via the Cloud Shell in Azure, AWS, and GCP, without the need to install CLI tools on your local machine.
For AWS, many people install tools locally and access the cloud using an Access Key. However, storing Access Keys on your local machine raises security concerns, and there may be issues with package versions or environment configurations. I recommend using Cloud Shell to execute commands instead.
Cloud Shell Official Documentation:
- Azure: Get started with Azure Cloud Shell | Microsoft Learn
- AWS: Getting started with AWS CloudShell | AWS CloudShell
- GCP: Write tutorials in Cloud Shell | Google Cloud
Export Format:
All outputs are in JSON format for easier reference to official documentation when reviewing network rules. If you have better methods, feel free to share them!
Terminology:
Each cloud provider differs significantly in how network access controls are designed. For example, in Azure, you primarily deal with Network Security Groups (NSGs), while in AWS, you need to consider Security Groups (SGs) and VPC NACLs, and in GCP, it’s called Firewalls.
The term “Firewall” can confuse when comparing the three clouds, as the design and technology behind network access control differ. Some are stateful, and others are stateless, so a term like “Network Access Control Rules/List” might be more appropriate since the technical implementation is not uniform. Below is AWS’s explanation of Security Groups:
“The security group acts as a virtual firewall. The only traffic that reaches the instance is the traffic allowed by the security group rules. For example, if the security group contains a rule that allows ICMP traffic to the instance from your network, then you could ping the instance from your computer.”
Azure’s Official Comparison:
Additionally, each cloud service has independent access control policies, such as S3 bucket ACLs in AWS or Azure SQL security settings, which are not included in the commands below.
Export Network Access Control Rules Commands:
AWS:
AWS Official Command Reference:
To export Security Groups and NACLs for EC2, and output them as JSON, use the following commands:
aws ec2 describe-security-groups --output json > security-groups.json
aws ec2 describe-network-acls --output json > network-acls.jsonExample from my AWS environment: Open Cloud Shell and run the following command:
aws ec2 describe-security-groups --output json > security-groups.json
Once exported as JSON, you can download it to your local machine. The “your-XXXX-XXXX” in the image is where I’ve replaced some information.
Since the Cloud Shell operations across the three clouds are quite similar, I won’t include additional screenshots for the other platforms.
AWS Security Group JSON format official documentation:
Azure:
Azure Official Command Documentation:
In Cloud Shell, run the following command to list all rules for a specific NSG:
az network nsg rule list --nsg-name YOUR_NSG_NAME --resource-group YOUR_RESOURCE_GROUP_NAME --output json > YOUR_NSG_NAME-rules.json
Azure Network Security Group JSON format official documentation:
Azure doesn’t have a built-in command to export NSGs across all resource groups, so you need to solve this programmatically.
You can find the script I generated and modified with ChatGPT here:
- GitHub: export-azure-all-nsg-rules
Upload the file or paste the command into Cloud Shell, and it will automatically export NSG rules from all Resource Groups. You can then use the zip command to package the files and download them.
Also, remember to review Azure application security groups, as they are often overlooked.
GCP:
GCP gcloud Official Command Documentation:
To export all firewall rules for a project, run the following command in Cloud Shell
gcloud compute firewall-rules list --format=json > firewall-rules.jsonGCP feels like the simplest platform for reviewing NACL rules.
- GCP Firewall JSON format official documentation:
- REST Resource: firewalls | Compute Engine Documentation
Summary:
In on-premises environments, it’s common to regularly perform Policy Reviews and ACL Reviews for devices like firewalls and switches. The same diligence is required in cloud environments, but due to platform differences, it can be time-consuming, and some services have their own configuration files, which are easily overlooked.
This is what I’ve compiled. I'd appreciate your feedback and guidance if you have better methods or notice any mistakes.
About Kuro
I want to share my various experiences and create educational content, hoping to inspire a culture of knowledge-sharing within the community. My goal is that others will eventually write and share their insights as well. If you’re a self-study student and have any questions about exam applications or preparation, feel free to connect with me through LinkedIn or Facebook. I’ll do my best to help within my capacity! (Or if you just want to grab a coffee and chat, I’d be happy to meet and connect with people from the industry — I’ve had plenty of great conversations already!)
For more about me, my contact information, and to see all my posts (I recommend this link for a more comprehensive view):
- Kuro Introduction & Contact: https://portaly.cc/kurohuang
- Instagram: https://www.instagram.com/kuronetwork/
- Thread: https://www.threads.net/@kuronetwork
- Other Contact Methods: https://kuronetwork.me/contact/
- LinkedIn: https://www.linkedin.com/in/kurohuang/
- All Articles: https://kuronetwork.me/posts/
- About Me: https://kuronetwork.me/about/
