Profile Applicability:

  • Level 1

Description:

When launching an EC2 instance using the EC2 Launch Wizard (e.g., via the AWS Management Console), Security Groups are automatically created or selected for the instance based on the selected options. These security groups define the firewall rules that control inbound and outbound traffic to the instance. Security groups created by the EC2 Launch Wizard can either be newly created or reused from existing ones, depending on the options chosen by the user during the instance setup.

Rationale:

Security groups are a critical part of your AWS security architecture as they control network access to EC2 instances. Security groups created by the EC2 Launch Wizard may be configured with default rules, which may or may not meet the specific security requirements for your environment. It is important to understand how these security groups are configured, ensure they align with best practices, and modify them if necessary to limit exposure and reduce the attack surface.

Impact:

Pros:

  • Automatic Security Configuration: EC2 Launch Wizard simplifies security group creation, ensuring that traffic can be controlled from the moment an EC2 instance is launched.

  • Customizable: Security group settings can be modified after creation to tighten security rules based on specific use cases.

Cons:

  • Default Open Rules: Security groups created by EC2 Launch Wizard might include overly permissive rules (e.g., open access to specific ports), which could expose EC2 instances to the internet.

  • Needs Regular Audits: Security groups need to be regularly reviewed to ensure that they align with organizational security policies and compliance requirements.

Default Value:

When EC2 Launch Wizard is used to launch instances, Security Groups are either selected from existing groups or created with default rules like allowing SSH (port 22) or HTTP (port 80) access. The default security group often allows access from the internet, which may need adjustment depending on security requirements.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeSecurityGroups

    • ec2:CreateSecurityGroup

    • ec2:ModifySecurityGroupRules

    • ec2:DescribeInstances

  • AWS CLI installed and configured.

  • Basic understanding of Security Groups, Inbound/Outbound Rules, and AWS EC2 Launch Wizard configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

       

  1. In the Instances section, select the EC2 instance created using the Launch Wizard.

         

  1. In the Description tab, locate the Security Groups associated with the EC2 instance.

     

  1. Click on the Security Group ID to open the Security Groups settings.

     

  1.  Review the Inbound and Outbound rules of the security group:

     

  • Ensure that only necessary ports are open (e.g., SSH on port 22 for Linux, RDP on port 3389 for Windows).

  • Restrict access to trusted IP addresses (or private subnets) rather than allowing open access to the internet (0.0.0.0/0).

                           

  1. Modify the security group if any overly permissive rules are found.

Using AWS CLI:

To list the security groups associated with EC2 instances, use:

aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId'

To view the inbound and outbound rules of a specific security group, run:

aws ec2 describe-security-groups --group-id <Security-Group-ID>

Review the Inbound Rules and Outbound Rules to ensure they are correctly configured (e.g., only allowing access to essential ports like port 80, 443, 22, or 3389).

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

   

  1. In the Instances section, select the EC2 instance launched using the Launch Wizard.

   

  1. In the Description tab, identify the Security Groups associated with the instance.

     

  1. Click the Security Group ID to view the security group.

   

  1. In the Inbound Rules section, modify or delete any overly permissive rules (such as open access to SSH or RDP from 0.0.0.0/0).

     

  1. Save the changes to ensure proper restrictions are in place.

Using AWS CLI:

List the security groups associated with your EC2 instance:

aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId

View the rules for the security group:

aws ec2 describe-security-groups --group-id <Security-Group-ID>

Update the security group rules if needed:

aws ec2 authorize-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 80 --cidr <trusted-ip-range>

aws ec2 revoke-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 22 --cidr 0.0.0.0/0

Backout Plan:

If modifying the security group leads to connectivity issues (e.g., loss of access to EC2 instances), revert the changes by restoring the original security group settings:

Identify the affected security group.

Use the AWS Console or CLI to add back any rules that were removed or altered.

For example, to restore SSH access, run:

aws ec2 authorize-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 22 --cidr 0.0.0.0/0

Verify that access to the EC2 instance is restored and the configuration is in line with security policies.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.