Profile Applicability:
• Level 2
Description:
Security groups act as virtual firewalls for your EC2 instances to control inbound and outbound traffic. Proper configuration of security groups is essential to ensure that only authorized access is permitted to instances and services while blocking unwanted traffic.
Rationale:
Configuring security groups ensures that only trusted sources can access your AWS resources, while blocking unauthorized access. This helps prevent attacks such as unauthorized SSH access, malicious traffic, and other network-based threats. Security groups allow fine-grained control over inbound and outbound traffic.
Impact:
Pros:
Provides network-level access control for EC2 instances and services
Blocks unauthorized traffic and prevents attacks
Allows for easy auditing and logging of access policies
Simple to manage and update security settings
Cons:
Overly restrictive security groups may prevent legitimate access to resources
Misconfigurations may inadvertently expose sensitive services to the public internet
Requires careful monitoring to ensure that security policies evolve with new services and threats
Default Value:
By default, AWS security groups are created with no inbound traffic allowed and all outbound traffic permitted. Custom rules must be manually configured.
Pre-requisites:
IAM permissions to modify security groups
Defined access control strategy for AWS resources
Understanding of required ports, IP ranges, and protocols for the services
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EC2 > Security Groups
Verify that security groups are properly configured with minimal inbound rules
Ensure that only required ports (e.g., 22 for SSH, 443 for HTTPS) are open
Confirm that security groups restrict access to specific trusted IP addresses or IP ranges
Ensure that outbound rules are appropriately restrictive
Confirm that there are no overly permissive security groups, such as those allowing access from 0.0.0.0/0 to critical ports
Using AWS CLI:
List all security groups:
aws ec2 describe-security-groups
Describe a specific security group’s inbound and outbound rules:
aws ec2 describe-security-groups --group-ids <security-group-id>
Review security group rules and ensure least privilege is enforced:
aws ec2 describe-security-group-rules --group-id <security-group-id>
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EC2 > Security Groups
Click Create Security Group
Name the security group and add a description
Define Inbound Rules:
Only allow necessary ports (e.g., port 22 for SSH, port 80 for HTTP, port 443 for HTTPS)
Restrict the source IP range to trusted IPs or VPC CIDR block
Define Outbound Rules:
If restrictive, only allow outbound traffic to required IP ranges
Save and associate the security group with your EC2 instances or other AWS resources
Using AWS CLI:
Create a new security group:
aws ec2 create-security-group --group-name <group-name> --description "Security group for <service>" --vpc-id <vpc-id>
Add inbound rule to allow SSH (port 22) from a specific IP range:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr <trusted-ip-range>/32
Add outbound rule to allow HTTPS (port 443):
aws ec2 authorize-security-group-egress --group-id <security-group-id> --protocol tcp --port 443 --cidr 0.0.0.0/0
Associate the security group with an EC2 instance:
aws ec2 modify-instance-attribute --instance-id <instance-id> --groups <security-group-id>
Backout Plan:
Using AWS Console:
Navigate to EC2 > Security Groups
Select the security group to delete or modify
Remove the rules that were added or delete the security group if no longer needed
Revert to a previous, known-good security group configuration
Using AWS CLI:
Revert changes to security group rules by removing inbound and outbound permissions:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --cidr <source-ip-range>
Delete the security group if no longer needed:
aws ec2 delete-security-group --group-id <security-group-id>