Description:
A security group acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic. For each security group, you can add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
Rationale:
By default, new security groups start with only an outbound rule that allows all traffic to leave the instances. You must add rules to enable any inbound traffic or to restrict the outbound traffic. A security group can be used only in the VPC for which it is created.
Impact:
VPC security groups add a layer of security to your VPC. Inbound rules control the traffic to instances and a set of rules that control bound traffic.
Default:
If an instance is created and no security group is specified then the default security group is automatically assigned to the instance and the default security group has only one outbound rule.
Pre-requisite:
A VPC security group
Remediation:
Test Plan:
Sign in to AWS Management Console.
Navigate to the VPC dashboard using https://console.aws.amazon.com/vpc/
Click on the Security Groups in the left navigation menu.
Select the EC2 security group that you want to examine.
Click on the Security Group ID, on the dashboard there you can see the total Inbound rules count and outbound rules count.
- Change the AWS region from the navigation bar and repeat the audit process for other regions.
Using AWS CLI:
Run the describe-security-groups command using appropriate filtering to list the IDs of all EC2 security groups currently available in the selected region:
aws ec2 describe-security-groups --region us-east-1 --output table --query 'SecurityGroups[*].GroupId'
Run the describe-security-groups command using custom filtering to list all the rules defined for the selected security group:
To list all the available inbound rules, run the following command (change the ID with your security group ID):
aws ec2 describe-security-groups --region us-east-1 --group-ids sg-5365d728 --query 'SecurityGroups[*].IpPermissions[]'
To list all the available outbound rules, run the following command (change the ID with your own security group ID):
aws ec2 describe-security-groups --region us-east-1 --group-ids sg-5365d728 --query 'SecurityGroups[*].IpPermissionsEgress[]'
Implementation:
Sign-in into the AWS Management Console.
Navigate to the VPC dashboard using https://console.aws.amazon.com/vpc/
Click on the Security Groups in the left navigation menu.
Choose the Security group.
Click on the Security Group ID, scroll down to select the Inbound Rules tab from the top menu. And find all the inbound rules or ingress rules.
- In the Edit inbound rules dialog box, identify any unnecessary, obsolete, or overlapping rules and remove each unwanted rule by clicking the x button next to the rule entry.
Select the Outbound rules tab from the top menu. And find all the outbound rules or egress rules.
- In the Edit outbound rules dialog box, identify any unnecessary obsolete, or overlapping rules and remove each unwanted rule by clicking the x button next to the rule entry.
Repeat the above steps to update other EC2 security groups that exceed the threshold set for the number of inbound/outbound rules.
Change the AWS region from the navigation bar and repeat the process for other regions.
Using AWS CLI :
Run revoke-security-group-ingress command using the security group ID as an identifier to remove any unnecessary inbound rules defined within the selected EC2 security group (the command does not return an output):
aws ec2 revoke-security-group-ingress --region us-east-1 --group-id sg-5365d728 --protocol tcp --port 389 --cidr 54.164.53.101/32
Run revoke-security-group-egress command to remove any unnecessary outbound rules defined within the selected EC2 security group (the command does not produce an output):
aws ec2 revoke-security-group-egress --region us-east-1 --group-id sg-5365d728 --protocol tcp --port 23 --cidr 0.0.0.0/0
Back out Plan:
Sign-in into the AWS Management Console.
Navigate to the VPC dashboard using https://console.aws.amazon.com/vpc/
Select the Security Groups in the left drop-down list under the Security section.
Choose the Security group.
To remove the ingress rules click on the Edit inbound rules button and delete the rules and click on the Save changes button to save the changes.
To remove the egress rules click on the Edit outbound rules button and delete the rules and then click on the Save changes button to save the changes.
References:
Control traffic to resources using security groups - Amazon Virtual Private Cloud