Description:

A security group acts as a virtual firewall for the virtual machines and other resources running on cloud. They are created based on ports and IPs to control incoming and outgoing traffic based on the defined inbound and outbound rules respectively. 


Rationale:

Deleting unused security groups ensures that they are not accidentally attached to any instance or any other resource which opens up the cloud resources to attacks for hackers.


Impact:

Minimized cases of unintentional linking of a security group to a resource. And as a bonus, it keeps the cloud environment clean and also lessens the management overhead to a certain extent.


Default Value:

When a user deletes or terminates a resource, the resource gets deleted but not the security group attached to the resource.


Audit:

In Management console

  1. Sign in to AWS Management Console

  2. Go to EC2 console at https://console.aws.amazon.com/ec2

  3. Click on the Security Groups in the left navigation pane

  4. Select the security group you want to examine and copy its id

  5. Go to Network Interfaces in the left pane

  6. Search for the network interface by pasting the security group id in the search bar

  7. Verify if a particular security group is associated with the network interface.

  8. If a security group is attached to any network interface, that Security group cannot be deleted.

  9. If security group is not attached to any network interfaces, we can delete that security group.




Via CLI:

Get list of all security groups

aws ec2 describe-security-groups --query 'SecurityGroups[*].GroupId' --output text | tr '\t' '\n'

Then get all security groups tied to an instance, then piped to sort then uniq

aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --output text | tr '\t' '\n' | sort | uniq


Then put it together and compare the 2 lists and see what’s not being used from the master list:

comm -23 <(aws ec2 describe-security-groups --query 'SecurityGroups[*].GroupId' --output text | tr '\t' '\n'| sort) <(aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --output text | tr '\t' '\n' | sort | uniq)



Remediation:

Pre-Requisite:

  • Ensure that the security group you want to delete isn’t the default security group.

  • If logged in as an IAM user, ensure that the user has permission to view and make changes to the required features of services.

  • Note down the security groups configurations as backup(like inbound and outbound rule)


Implementation steps:

In Management Console

  1. Sign in to the AWS Management Console

  2. Navigate to EC2 service at https://console.aws.amazon.com/ec2/

  3. To the left of the EC2 dashboard, scroll down to find Security groups under Network & Security section.

  4. Choose all the security groups, click on Actions and select Delete security groups

  5. When you click on Delete Security Group it will show up all the groups that can be deleted and cannot delete.

    Note: A popup will appear displaying that you cannot delete security groups that are attached to instances, other security groups, or network interfaces, and it will list down all the security groups that you can delete (unused security groups)

  6. The security groups that have no associated resources will be deleted.
  7. Enter the confirmation text and click on Delete, so that unused groups will get deleted.
  8. But if you want to delete specific unused security groups one by one, navigate to Security groups section on EC2 dashboard and select the security groups that you want to delete.
  9. Click on Actions and select Delete security groups
  10. This deletes only the security groups that you choose to delete.


with CLI

Using Security group name:

aws ec2 delete-security-group --group-name [NameOfSecurityGroup]


Using Security group id:

aws ec2 delete-security-group --group-id [sg-903004f8]


Backout Plan:

You may not be able to revoke changes on AWS since the security groups are deleted permanently. 

Instead, you can create a new group with the same configurations that you noted down.

Note:

  • You can only delete one security group at once using the command line or API.

  • You can delete more than one security group at once using the Management Console.

  • Security groups exist inside of a VPC. Since VPCs are region-specific, so are Security groups.

  • The default security group in a VPC can not be deleted.


Reference:

delete-security-group — AWS CLI 1.20.30 Command Reference