Profile Applicability:
• Level 2
Description:
Security groups act as virtual firewalls for EC2 instances and other resources within a Virtual Private Cloud (VPC), controlling inbound and outbound traffic. Using security groups within a VPC allows administrators to enforce network-level security policies and ensure that only authorized traffic reaches the resources. By applying appropriate security group rules, users can isolate resources, restrict access to specific IP ranges, and ensure that only necessary services can communicate with each other.
Rationale:
Using security groups within a VPC ensures that resources are protected from unauthorized access and that access control policies are enforced at the instance level. Security groups are stateful, meaning that if an inbound request is allowed, the response is automatically allowed, simplifying network access management. Properly configured security groups help mitigate the risks of security breaches by allowing only authorized and necessary traffic to access the instances.
Impact:
Pros:
Provides fine-grained control over inbound and outbound traffic for EC2 instances and other VPC resources
Enhances security by enforcing the principle of least privilege for network access
Simplifies network configuration and management by allowing rules to be defined based on instances, subnets, and IP addresses
Enables segmentation of resources within a VPC for improved isolation and security
Security groups are stateful, reducing the need for explicit egress rules
Cons:
Misconfigured security groups may inadvertently expose resources to unauthorized access
Requires continuous monitoring and management to ensure that security groups are updated according to changing access requirements
Can introduce complexity when managing multiple security groups for large or dynamic environments
Default Value:
By default, no security group is associated with newly created EC2 instances or other resources in a VPC, and access is open to all inbound traffic unless explicitly defined. Security groups must be manually created and associated with instances to control network access.
Pre-requisites:
IAM permissions to create, modify, and manage security groups and VPC resources (e.g., ec2:CreateSecurityGroup, ec2:AuthorizeSecurityGroupIngress)
Understanding of the VPC's network layout, subnets, and the resources requiring access control
Defined security policies that specify which traffic should be allowed to reach each resource
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EC2 > Security Groups
Review the existing security groups and confirm that they are associated with relevant VPC resources (e.g., EC2 instance, load balancers, RDS instances)
Ensure that each security group has appropriate inbound and outbound rules based on the organization's security policy
Verify that rules restrict access to only the necessary IP ranges, ports, and protocols
Ensure that no security group has overly permissive rules, such as allowing unrestricted access on ports like 22 (SSH) or 3389 (RDP) from all IP addresses
Check for consistency across security groups to ensure that they are aligned with access control requirements
Review security group usage across VPCs and subnets to ensure proper isolation and access control
Using AWS CLI:
List all security groups in the account:
aws ec2 describe-security-groups
Describe a specific security group to review its inbound and outbound rules:
aws ec2 describe-security-groups --group-ids <security-group-id>
Ensure that no security group allows unrestricted access on critical ports (e.g., 22 or 3389):
aws ec2 describe-security-groups --group-ids <security-group-id> --query "SecurityGroups[0].IpPermissions"
Verify the associated resources for each security group:
aws ec2 describe-instances --filters Name=instance.group-id,Values <security-group-id>
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EC2 > Security Groups
Click Create Security Group to create a new security group for the VPC
Set the security group name and description, and select the VPC in which it should be applied
Add Inbound Rules that specify which traffic is allowed to reach the instances (e.g., allowing HTTP traffic on port 80 from the internet or restricting SSH access to specific IP addresses)
Add Outbound Rules to control the traffic that can leave the instances (e.g., allowing all outbound traffic or restricting it to specific IP ranges)
Associate the security group with the EC2 instances or other VPC resources that require the defined access control
Review and confirm that the security group settings align with your organization’s security policies
Using AWS CLI:
Create a security group for a VPC:
aws ec2 create-security-group --group-name <security-group-name> --description "Security group for EC2 access" --vpc-id <vpc-id>
Add inbound rules to allow SSH access from a specific IP range (e.g., 192.168.1.0/24):
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 22 \ --cidr 192.168.1.0/24
Add inbound rules to allow HTTP traffic from all IP addresses:
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 80 \ --cidr 0.0.0.0/0
Associate the security group with an EC2 instance:
aws ec2 modify-instance-attribute --instance-id <instance-id> --groups <security-group-id>
Backout Plan:
Using AWS Console:
Navigate to EC2 > Security Groups
Select the security group to delete or modify
Click Delete to remove the security group if no longer needed or revert changes to the rules if the security group was misconfigured
Ensure that any associated instances or resources are updated with a different, properly configured security group
Using AWS CLI:
Revoke any incorrectly applied inbound or outbound rules:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0
Delete the security group if no longer needed:
aws ec2 delete-security-group --group-id <security-group-id>