Description:

A security group acts as a virtual firewall for the virtual machines and other resources running on cloud. They are created based on ports and IPs to control incoming and outgoing traffic based on the defined inbound and outbound rules respectively.

 

Rationale:

Deleting unused security groups ensures that they are not accidentally attached to any instance or any other resource, which opens up the cloud resources to attacks for hackers.


Impact:

Minimized cases of unintentional linking of a security group to a resource. And as a bonus, it keeps the cloud environment clean and also lessens the management overhead to a certain extent.


Default Value:

When a user deletes or terminates a resource, the resource itself gets deleted but not the security group attached to the resource.


Pre-Requisite:

  • Ensure that the security group you want to delete isn’t the default security group.

  • If logged in as an IAM user, ensure that the user has permission to view and make changes to the required features of services.

  • Note down the security groups configurations as backup(like inbound and outbound rule)


Remediation:


Test Plan:

  1. Sign in to AWS Management Console

  2. Go to EC2 console at https://console.aws.amazon.com/ec2

  3. Click on the Security Groups in the left navigation pane

  4. Select the security group you want to examine and copy its ID
  5. Go to Network Interfaces in the left pane

  6. Search for the network interface by pasting the security group id in the search bar.

  7. Verify if a particular security group is associated with the network interface.

  8. If a security group is attached to any network interface, that Security group cannot be deleted.
  9. If security group is not attached to any network interfaces, we can delete that security group. 



Using AWS CLI:

  1. Run the following command in the AWS CLI to find network interfaces associated with a security group based on the security group ID:

    aws ec2 describe-network-interfaces --filters Name=group-id,Values=<group-id> --region <region> --output json

    The output of this command shows the network interfaces associated with the security group.

       2. Review the output.

    If the output is empty similar to this example, then there are no resources associated with the security group:

    {
    "NetworkInterfaces": []
    }

    If the output contains results, then use this command to find more information about the resources associated with the security group: 

    aws ec2 describe-network-interfaces --filters Name=group-id,Values=<group-id> --region <region> --output json --query 'NetworkInterfaces[*]'.['NetworkInterfaceId','Description','PrivateIpAddress','VpcId']

Implementation :

  1. Sign in to the AWS Management Console

  2. Navigate to EC2 service at https://console.aws.amazon.com/ec2/

  3. To the left of the EC2 dashboard, scroll down to find Security groups under Network & Security section.

  4. Choose the security groups which are not being used, click on Actions and select Delete security groups.

  5. Enter the confirmation text and click on Delete, so that unused groups will get deleted.

Using AWS CLI

  1. Using Security group name:

    aws ec2 delete-security-group --group-name NameOfSecurityGroup

  2. Using Security group id:

    aws ec2 delete-security-group --group-id securitygroupid

Backout Plan:

You may not be able to revoke changes on AWS since the security groups are deleted permanently. 

Instead, you can create a new group with the same configurations that you noted down.

Note:

  • You can only delete one security group at once using the command line or API.

  • You can delete more than one security group at once using the Management Console.

  • Security groups exist inside of a VPC. Since VPCs are region-specific, so are Security groups.

  • The default security group in a VPC can not be deleted.

Reference:

delete-security-group — AWS CLI 1.22.77 Command Reference 

How can I find the resources associated with an Amazon EC2 security group?