Profile Applicability
Level 1
Description:
Security groups act as virtual firewalls for instances in AWS, controlling inbound and outbound traffic at the instance level. Monitoring changes to security groups is crucial to ensure that modifications (e.g., rule additions, deletions, or updates) do not inadvertently expose instances or violate security policies.
By monitoring security group changes, organizations can quickly detect unauthorized modifications, prevent unintentional exposure, and maintain a secure network configuration.
Rationale:
Security groups play a critical role in controlling traffic between instances and external networks. Unauthorized or accidental changes to security groups can lead to:
Unintended exposure of instances to the public internet
Misconfigured rules that allow unauthorized access
Violations of network segmentation and security policies
Monitoring these changes ensures that security group modifications are properly authorized and in line with security best practices.
Impact:
Failure to monitor security group changes can result in:
Uncontrolled access to sensitive resources
Potential data breaches due to misconfigured rules
Increased attack surface from open ports or IP ranges
Active monitoring helps to identify and remediate these risks promptly.
Default Value:
By default, AWS does not monitor security group changes. However, these changes can be tracked using AWS CloudTrail and AWS Config.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
ec2:DescribeSecurityGroups
cloudtrail:LookupEvents
config:DescribeConfigurationRecorder
AWS CloudTrail and AWS Config enabled across all AWS regions for tracking changes
Remediation:
Test Plan:
Using AWS Console:
Go to the CloudTrail Console.
Verify that Management Events are enabled to log security group changes.
Go to the AWS Config Console and confirm that the Configuration Recorder is active and monitoring security group configurations.
Using AWS CLI:
aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>'].{Name:Name, S3BucketName:S3BucketName}" --output tableTo verify if AWS Config is tracking changes to security groups:
aws configservice describe-configuration-recorders --query "ConfigurationRecorders[?recordingGroup.allSupported==`true`].{Name:name, RecordingGroup:recordingGroup}" --output tableImplementation Plan:
Using AWS Console:
Enable CloudTrail logging for security group changes:
Go to the CloudTrail Console.
Ensure Management Events are enabled to log security group changes.
Create or update a trail to log events in All Regions.
Enable AWS Config to monitor security group configurations:
Go to the AWS Config Console.
Enable the Configuration Recorder and ensure that security groups are included in the recording configuration.
Using AWS CLI:
Verify CloudTrail is logging security group changes:
aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>'].{Name:Name, S3BucketName:S3BucketName}" --output tableEnable AWS Config to track security groups:
aws configservice record-configuration-changes --configuration-recorder-name <recorder-name> --include-configuration-item-types "AWS::EC2::SecurityGroup"
Backout Plan:
If monitoring security group changes results in excessive logging or performance issues:
Using AWS Console:
Modify CloudTrail settings to limit event capture or exclude specific event types:
Go to the CloudTrail Console.
Adjust the Management Events settings to log only critical changes.
You can also turn off logging for specific types of events.
Modify AWS Config settings to exclude security groups from configuration recording:
In the AWS Config Console, disable security group recording or limit the scope of recorded changes.
Using AWS CLI:
Limit CloudTrail event capture:
aws cloudtrail update-trail --name <trail-name> --no-is-multi-region-trail
Stop AWS Config recording for security groups:
aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>
Once the performance issue is resolved, you can re-enable security group monitoring.