| CPC H04L 63/104 (2013.01) [H04L 63/205 (2013.01)] | 20 Claims |
|
1. A computing device configured to automatically manage security group rules in a cloud environment by analyzing utilization of each of the security group rules based on packet logs so as to reduce attack vector possibilities, the computing device comprising:
one or more processors; and
memory storing instructions that, when executed by the one or more processors, cause the computing device to:
receive, from a log database, a first log comprising a plurality of log entries that each indicate one or more packet flows associated with a security group in the cloud environment;
determine a plurality of security group rules for the security group of the cloud environment, wherein the plurality of security group rules limit one or both of:
inbound network traffic for the security group, or
outbound traffic for the security group;
sort the plurality of security group rules into an order based on a permissiveness of the plurality of security group rules;
identify, for each log entry of the plurality of log entries, a corresponding security group rule of the plurality of security group rules by iteratively processing, based on the order, the sorted plurality of security group rules to identify a least permissive security group rule that permitted a packet flow corresponding to the log entry;
modify each of the plurality of security group rules to add, for each security group rule of the plurality of security group rules, an identification of a corresponding log entry;
determine, based on the modified plurality of security group rules, a first security group rule of the plurality of security group rules that is not associated with any log entry of the plurality of log entries; and
delete the first security group rule.
|