Prisma Cloud: Network traffic direction considerations for policy AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0)

Prisma Cloud: Network traffic direction considerations for policy AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0)

1290
Created On 06/20/24 20:57 PM - Last Modified 03/21/25 17:21 PM


Question


Should this alert consider EGRESS, as well as INGRESS?
  • (RQL depicts it only considers INGRESS, but alerts show otherwise)

Environment


  • Prisma Cloud
    • Network Policy
    • Cloud Network Analyzer (CNA)
    • Resource Query Language (RQL)

Answer


Prisma Cloud's Cloud Network Analyzer engine 
calculates the external exposure of your cloud assets using routing path that exists from source to destination and the net effectiveness of all network security policies in that network path.
In essence, the query considers the path taken from the Internet (0.0.0.0/0) to an EC2 instance, including ALL network devices/components such as gateway, vpc, etc.
  • To verify, we may run the policy RQL (below), select the Network Path icon under Actions (far-right) for any resource displayed, and evaluate the path to the resource to understand the cause forĀ an alert. 
    • config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active'
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scOiCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail