Profile Applicability:

  • Level 1

Description:

This control ensures that all AWS Security Groups are actively associated with running resources such as EC2 instances, Elastic Load Balancers, RDS instances, or Elastic Network Interfaces (ENIs). Unused Security Groups serve no operational purpose and may pose a security risk if they contain overly permissive rules and are later assigned unintentionally to new resources. Removing or auditing these groups helps maintain a clean and secure cloud environment.


Rationale:

This control ensures that all AWS Security Groups are actively associated with running resources such as EC2 instances, Elastic Load Balancers, RDS instances, or Elastic Network Interfaces (ENIs). Unused Security Groups serve no operational purpose and may pose a security risk if they contain overly permissive rules and are later assigned unintentionally to new resources. Removing or auditing these groups helps maintain a clean and secure cloud environment.


Impact:

  • Positive Impact: Improves security posture by reducing unnecessary and potentially risky network configurations, simplifying management and compliance audits.

  • Negative Impact: None significant, but accidental deletion of a temporarily unused Security Group may require recreation if needed later.


Default Value:

Security Groups are created as needed but remain in the account until explicitly deleted, even if no resources are attached to them.


Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroupsec2:DescribeNetworkInterfaces, and ec2:DeleteSecurityGroup.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Security Groups.

  3. For each Security Group, check the Inbound RulesOutbound Rules, and Attached Resources sections.

  4. Review the Used by column (or “Associated resources” tab):

    • If the group shows No associated instancesNo ENIs, or No resources, it is considered unused.

  5. Record unused Security Groups for further review or deletion.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Filter or sort by groups that show No associated resources.

  3. Review the rules in each unused group to confirm it’s not required by any automation or deployment templates (e.g., CloudFormation, Terraform).

  4. Select the unused Security Group(s).

  5. Click Actions → Delete security group.

  6. Confirm the deletion.

  7. Repeat the review process periodically (e.g., monthly or quarterly).

Backout Plan:

Using AWS Console:

  1. If a deleted Security Group is needed again, recreate it using the same rule configurations or restore from an Infrastructure as Code (IaC) template such as CloudFormation or Terraform.

  2. Keep a record of deleted Security Groups for auditing and recovery.

References:

  • AWS Security Groups Documentation

  • AWS Security Best Practices Whitepaper

  • EC2 Network Security Documentation