Description:
The EC2 Launch Wizard creates a default security group for each instance that is launched. This security group allows SSH access from anywhere and HTTP access from the internet. However, this default security group may not be sufficient for all applications.

Rationale:
The default security group created by the EC2 Launch Wizard may not be sufficient for all applications. For example, an application that needs to be accessed only from within the company's network would not need to allow SSH access from anywhere.

Impact:
If the default security group created by the EC2 Launch Wizard is not modified, then applications that are launched may be exposed to unnecessary security risks. For example, an application that is only supposed to be accessed by employees within the company's network could be accessed by anyone on the internet if the default security group allows HTTP access from anywhere.

Default Value:
The default value for the security group created by the EC2 Launch Wizard is to allow SSH access from anywhere and HTTP access from the internet.

Pre-requisites:

  • Access to the AWS Management Console
  • Knowledge of how to create and modify security groups


Remediation Steps:

  1. Log in to the AWS Management Console.
  2. Go to the EC2 Instances page.
  3. Select the instance that you want to modify the security group for.
  4. Click the Security Groups tab.
  5. Click the Edit button for the default security group.
  6. Remove the inbound rules that allow SSH access from anywhere and HTTP access from the internet.
  7. Add inbound rules that allow only the traffic that is necessary for your application.
  8. Click the Save button.


Test Plan:

  1. Verify that the inbound rules in the security group allow only the traffic that is necessary for your application.
  2. Try to access your application from different locations and verify that you can only access it from the locations that you have allowed.

Implementation Plan:

AWS CLI Process:

  1. Log in to the AWS CLI.
  2. Run the following command to list the security groups for the current account:
aws ec2 describe-security-groups
  1. Find the default security group for the instance that you want to modify.
  2. Run the following command to modify the security group:

aws ec2 modify-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr-ip 0.0.0.0/0

Using AWS GUI:

  1. Log in to the AWS Management Console.
  2. Go to the EC2 Security Groups page.
  3. Click the Create Security Group button.
  4. Enter a name for the security group.
  5. Select the Custom option for the Inbound Rules.
  6. Add a rule that allows SSH access from anywhere.
  7. Add a rule that allows HTTP access from the internet.
  8. Click the Create button.


Backout Plan:

  1. Log in to the AWS Management Console.
  2. Go to the EC2 Security Groups page.
  3. Select the security group that you want to revert.
  4. Click the Delete button.


Note:

  • This policy should only be applied to instances that are not accessible from the public internet.
  • If you are unsure whether or not an instance should be accessible from the public internet, then you should consult with your security team.

Reference:
https://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-security.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html