Description: 

Ensure every Security Group is being used by at least one resource. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to any port.


Rationale: 

Keeping unused security groups in the environment increases the risk of the server's exposure. Ensure no security groups are un used.


Audit: 

Perform the following to determine if the account is configured as prescribed: 

1. Open the Amazon EC2 console.

2. In the navigation pane, choose Security Groups.

3. Copy the security group ID of the security group you're investigating.

4. In the navigation pane, choose Network Interfaces.

5. Paste the security group ID in the search bar.

Note: Be sure that you're searching in the same Region where your security group is located.

6. Review the search results.

Search results show the network interfaces associated with the security group. Check the description of the network interface to determine the resource that's associated with the security group. For example, ELB app/example-alb/1234567890abcdef indicates that an Application Load Balancer with the name example-alb is using this security group.


If you receive a No Network Interfaces found matching your filter criteria message, there are no resources associated with the security group.


Impact: 

For updating an existing environment, care should be taken to ensure that unused security groups in the environment increase the risk of the server's exposure. Ensure every security group is used in the environment.


References: 

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf