Description:

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security group rules enable you to filter traffic based on protocols and port numbers.


Rationale:

You can create a security group and add rules that reflect the role of the instance that's associated with the security group. For example, an instance that's configured as a web server needs security group rules that allow inbound HTTP and HTTPS access. Likewise, a database instance needs rules that allow access for the type of database, such as access over port 3306 for MySQL.


Impact:

When a security group with a specific protocol is mentioned, only the connections through that particular port will take place. No other ports will be open. If there is no security group means there will be no inbound and outbound connections which means we won’t be able to connect to a particular server/instance.


Default Value:

VPC automatically comes with a default security group. If you don't specify a different security group when you launch the instance, the default security group will be associated with the instance. By default the security group allows all inbound connections.

Inbound

Type

Protocol

Port Range

Source

Description

All traffic

All

All

Security Group ID
(e.g.:- sg-dedc3c97 / default)

For the associated instances, inbound traffic allows network interfaces assigned to the same security group.

Audit:

  1. Sign in to the AWS Management Console

  2. Go to EC2 console at https://console.aws.amazon.com/ec2

  3. Select Security Groups from left menu

  4. Click on the Inbound Rules Tab

  5. Check the Type, Protocol, and Port

    If its All, then that particular security group allows all traffic. Follow the implementation steps to not allow all protocols.


Via CLI:

The following command describes a security group 

aws ec2 describe-security-groups --group-ids <secuiryt_group_id>


Remediation:

Pre-Requisite

1. Before start the below implementation steps write all configuration which IP and which port in the inbound.

2. Avoid the login through the Root user.

3. Only authorized persons (i.e, admins) can access the Security Groups.

4. You cannot delete the default security groups but you can edit and modify them here so you can create security groups and create your own rules in them.

5. Do not attach the default security group to any EC2 instance if you do not modify any default rules in inbound or outbound.

Implementation Steps

Perform the following steps to implement the prescribed state:

  1. Sign in to the AWS Management Console

  2. Go to EC2 console at https://console.aws.amazon.com/ec2

  3. Select Security Groups from left menu

  4. Select the security group you want to modify and click on Inbound Rules Tab


  5. Select the rule and click Edit Inbound Rules which is on the right side

  6. Select the protocols which you need to allow. As of now, I'm selecting SSH
    Once its done, click on Save rules.

Via CLI

  1. List all security groups with an ingress rule of 0.0.0.0/0
    aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' \
        --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

    2. Remove the rule 22 port used only e.g. you can revoke any port 

    aws ec2 revoke-security-group-ingress \
      --group-id <value> --protocol <protocol> --port 22 --cidr 0.0.0.0/0

Backout Plan
If you want to proceed with previous settings go through the Implementation steps section and set all previous policies. You can delete your new security group by following the steps:

  1. Open the Amazon VPC console https://console.aws.amazon.com/vpc/
  2. In the navigation pane, choose Security Groups.
  3. Select one or more security groups and choose Security Group Actions, Delete Security Group.
  4. In the Delete Security Group dialogue box, choose Yes, Delete

or if any issue to access your resources then assign the CIDR 0.0.0.0/0 in the inbound to the security group


Via CLI

The following command is used to delete created security group id in the security_group_id enter the security group id which you show on your console.

aws ec2 delete-security-group --group-id <security_group_id>


Reference:

  1. Security groups for your VPC - Amazon Virtual Private Cloud 

  2. revoke-security-group-ingress — AWS CLI 1.19.97 Command Reference 

  3. describe-security-groups — AWS CLI 1.19.97 Command Reference