KiloClawPowered by OpenClaw
Back to Cookbook

AWS Security Group Audit and Cleanup Tool

aka “Firewall Janitor

Find the 0.0.0.0/0 rule that was "temporary" 3 years ago

Audits AWS security groups and K8s network policies for overly permissive rules, unused rules, and conflicts. Cross-references VPC Flow Logs to identify rules that are never hit and can be safely removed.

House RecipeWork3 min
Try in KiloClawFree 7-day trial

INGREDIENTS

🐙GitHub💬Slack

PROMPT

Create a skill called "Firewall Janitor". Audit security groups and network policies: For AWS security groups: 1. List all security groups and their rules across specified VPCs 2. Flag overly permissive rules: 0.0.0.0/0 inbound, wide port ranges (0-65535), any protocol 3. If VPC Flow Logs are available, identify rules with zero hits in the last 30 days 4. Find duplicate or overlapping rules and detached security groups 5. Detect security groups not attached to any resource For Kubernetes NetworkPolicies: 1. Identify namespaces with no NetworkPolicies (all traffic allowed by default) 2. Check for policies that don't match any pods (selector mismatch) 3. Verify that expected connectivity matches actual policy Generate a cleanup plan with: - Risk level for each change (removing a rule that has zero flow log hits = low risk) - Exact AWS CLI or kubectl commands to apply changes - Terraform resources if managing as code

How It Works

Security groups accumulate cruft like barnacles. Temporary rules become

permanent, nobody removes rules for decommissioned services, and over

time you end up with a tangle nobody dares touch. This skill makes

cleanup safe.

What You Get

  • Full security group inventory with rule analysis
  • Overly permissive rules flagged (0.0.0.0/0, wide port ranges, any-any)
  • Unused rules identified via VPC Flow Logs cross-reference
  • Duplicate and overlapping rules detected
  • K8s NetworkPolicy audit for completeness and correctness
  • Safe cleanup plan with exact changes and risk assessment

Setup Steps

  1. Ensure your Claw has AWS CLI access with read permissions
  2. Enable VPC Flow Logs if not already (for unused rule detection)
  3. Run the audit and review findings
  4. Apply the cleanup plan starting with the lowest-risk changes

Tips

  • Start by finding 0.0.0.0/0 inbound rules — these are the highest risk
  • VPC Flow Logs are the key to safely identifying unused rules
  • Don't just delete unused rules — some are for disaster recovery paths
  • Generate Terraform for your security groups to manage them as code going forward
  • Check both inbound AND outbound rules — egress is often overlooked
Tags:#security#networking#aws#devops

Related Recipes

Permission Sleuth

Debug "Access Denied" without guessing which of 47 policies is wrong

Traces the full IAM policy evaluation chain when you hit an Access Denied — identity policies, resource policies, SCPs, permission boundaries — and tells you exactly which policy is blocking and how to fix it.

Work2 min

NetPol Builder

Write K8s network policies from "A talks to B on port 443" instead of YAML puzzles

Generates Kubernetes NetworkPolicies from plain-English connectivity requirements. Also audits existing policies, detects missing coverage, and validates that policies match intended behavior.

Work2 min

Scam Shield & Identity Theft Response

A calm checklist when fraud hits

Immediate steps, reporting sequences, and long-term hardening for scams and identity theft. Organized by urgency so you know what to do first.

Personal2 min

Scam Sponsorship Screener

Verify brand offers before you click anything

Screens incoming partnership offers for phishing and scam patterns: suspicious domains, attachments, fake checks, requests to "connect your account," and vague contracts. Outputs a risk rating and safe verification steps.

Personal4 min