App-Tier Security Group

Risk Level: Medium (should be achieved)

Ensure there is an Amazon EC2 security group created and configured for the app tier to grant inbound access from the app-tier load balancer security group on explicit ports, in order to secure the access to the instances running within the app tier. This conformity rule assumes that all the AWS resources (including security groups) created within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the app-tier tags must be configured in the rule settings, on your Conformity account console.

Security

A security group works as a virtual firewall that controls the traffic for your Amazon EC2 instances. To protect the instances within your app tier from unauthorized access, a dedicated security group must be created and configured to secure access by adding inbound rules that allow traffic for specific protocols and ports, by referencing as source the security group associated with the app-tier load balancer.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the app tier.

Audit

To determine if there is an Amazon EC2 security group created and configured exclusively for the app tier, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access App-Tier Security Group conformity rule settings, and identify the tag set defined for the AWS cloud resources provisioned within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Network & Security, choose Security Groups.

05 Click inside the Filter security groups box located under the console top menu, and choose the tag set defined for your app-tier resources, identified at step no. 1, from the Tags list. This filtering technique will return only the security groups tagged for the app tier. If the app-tier tag is not included in the Tags list, there are no security groups tagged within your app tier and the Audit process ends here. If the app-tier tag is included in the Tags list and the Amazon EC2 console returns one or more security groups, continue the Audit process with the next step.

06 Select the Amazon EC2 security group that you want to examine.

07 Choose the Inbound rules tab from the console bottom panel and check the configuration values available in the Protocol,Port range, and Source columns for each configured inbound rule. For compliance, the security group must allow inbound connections on TCP ports 80 (HTTP) and/or 443 (HTTPS) from the security group associated with the app-tier load balancer. If there are no inbound rules that allow traffic from the load balancer security group on TCP ports 80 and/or 443, the selected Amazon EC2 security group doesn't qualify for the compliant app-tier security group.

08 Repeat steps no. 6 and 7 for each Amazon EC2 security group returned as result at step no. 5.

09 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

02 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to describe the ID of each Amazon EC2 security group available in the selected AWS region:

aws ec2 describe-security-groups
  --region us-east-1
  --output table
  --query 'SecurityGroups[*].GroupId'

03 The command output should return a table with the requested security group ID(s):

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
+------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to examine as the identifier parameter and custom query filters to describe the tags defined for the selected security group:

aws ec2 describe-tags
  --region us-east-1
  --filters "Name=resource-id,Values=sg-01234abcd1234abcd"
  --query 'Tags[*].{Value:Value, Key:Key}'

05 The describe-tags command should return one of the following outputs:

If the command output returns an empty array (i.e. []), as shown in the example below, the verified security group is not tagged, therefore the Audit process for the selected resource ends here:
```
[]
```
If the describe-tags command output returns a tag set that is different from the one identified at step no. 1, as shown in the example below, the verified security group does not belong to your app tier, therefore the Audit process for the selected resource ends here:
```
[
	{
		"Value": "Owner",
		"Key": "Project5 Team"
	}
]
```
If the command output returns a tag set that matches the one identified at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified security group is tagged as a app-tier resource, therefore the Audit process continues with the next step:
```
[
	{
		"Key": "<app_tier_tag>",
		"Value": "<app_tier_tag_value>"
	}
]
```

06 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the security group that you want to examine as the identifier parameter, to list all the inbound/ingress rules defined for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd
  --query 'SecurityGroups[*].IpPermissions[]'

07 The command output should return the requested configuration information:

[
	{
		"FromPort": 443,
		"IpProtocol": "tcp",
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"Ipv6Ranges": [],
		"PrefixListIds": [],
		"ToPort": 443,
		"UserIdGroupPairs": []
	}
]

Check the "IpProtocol", "FromPort", "ToPort", and "UserIdGroupPairs" attribute values returned by the describe-security-groups command output for each inbound/ingress rule. For compliance, the app-tier security group must allow inbound connections on TCP ports 80 (HTTP) and/or 443 (HTTPS) from the security group associated with the app-tier load balancer. If there are no inbound rules that allow traffic from the load balancer security group (i.e. "UserIdGroupPairs" attribute value) on TCP ports 80 and/or 443, the selected Amazon EC2 security group doesn't qualify for the compliant app-tier security group.

08 Repeat steps no. 6 and 7 for each EC2 security group available in the selected AWS cloud region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the audit process for other regions.

Remediation / Resolution

To create a compliant app-tier security group and configure it to allow inbound/ingress traffic from the security group associated with the app-tier load balancer, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access App-Tier Security Group conformity rule settings, and copy the tag set defined for the AWS cloud resources deployed within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Network & Security, choose Security Groups.

05 To replace the existing security group with a compliant app-tier security group and attach it to your app-tier instance(s), you must create and configure a new Amazon EC2 security group. To create the compliant security group, click on the Create security group button from the console top menu to initiate the setup process.

06 On the Create security group setup page, provide the following information:

For Security group name, provide a unique name for your new security group.
For Description, provide a short description that reflects the security group usage.
Choose the appropriate VPC network from the VPC dropdown list.
In the Inbound rules section, choose Add rule to define the inbound/ingress rule(s) required to allow access to the app-tier load balancer:
- Select HTTP or HTTPS from the Type dropdown list, depending on your app-tier load balancer listener configuration.
- Select Custom from the Source dropdown list and enter the ID of the security group associated with the app-tier load balancer:
- Provide a short description for the new inbound rule in the Description – optional box.
In the Tags – optional section, use the Add new tag button to apply the app-tier tag set copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>).
Choose Create security group to create your new, compliant app-tier security group.

07 Replace the non-compliant security group with the new app-tier security group within your Amazon EC2 instance(s) configuration. To replace the required resource, perform the following actions:

In the navigation panel, under Instances, choose Instances.
Select the Amazon EC2 instance that you want to reconfigure.
Click on the Actions dropdown menu from the console top menu, select Security, and choose Change security groups.
On the Change security groups page, perform the following commands:
- In the Associated security groups section, choose Remove next to the non-compliant security group to remove the group from your EC2 instance configuration.
- Click inside the Select security groups box, select the app-tier security group created at step no 6, and choose Add security group.
- Choose Save to apply the configuration changes.

08 Repeat step no. 7 for each Amazon EC2 instance running in your app tier, available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access App-Tier Security Group conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the security group that you want to replace as the identifier parameter, to describe the configuration metadata available for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd

03 The command output should return the requested configuration information:

{
	"SecurityGroups": [
		{
			"Description": "Project5 Application Access",
			"GroupName": "cc-app-security-group",
			"IpPermissions": [
				{
					"FromPort": 443,
					"IpProtocol": "tcp",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"ToPort": 443,
					"UserIdGroupPairs": []
				}
			],
			"OwnerId": "123456789012",
			"GroupId": "sg-01234abcd1234abcd",
			"IpPermissionsEgress": [
				{
					"IpProtocol": "-1",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"UserIdGroupPairs": []
				}
			],
			"VpcId": "vpc-abcdabcd"
		}
	]
}

04 Run create-security-group command (OSX/Linux/UNIX) to create the compliant app-tier security group using the configuration information returned at the previous step:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-app-tier-security-group
  --description "App-Tier Amazon EC2 Security Group"
  --vpc-id vpc-abcdabcd

05 The command output should return the ID of the new, custom security group:

{
	"GroupId": "sg-0abcd1234abcd1234"
}

06 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to create the inbound/ingress rule that allows traffic on TCP port 80/443 from the security group associated with your app-tier load balancer (the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-0abcd1234abcd1234
  --protocol tcp
  --port 443
  --source-group sg-01234123412341234

07 Run create-tags command (OSX/Linux/UNIX) using the ID of the new app-tier security group as the identifier parameter, to create and apply the app-tier tag set copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>). Replace <app_tier_tag> and <app_tier_tag_value> with your own tag set (the command does not produce an output):

aws ec2 create-tags
  --region us-east-1
  --resources sg-0abcd1234abcd1234
  --tags Key=<app_tier_tag>,Value=<app_tier_tag_value>

08 Run modify-instance-attribute command (OSX/Linux/UNIX) using the ID of the app-tier EC2 instance that you want to reconfigure as the identifier parameter, to replace the non-compliant security group with the new app-tier security group within the instance configuration. Make sure that you add any other compliant security groups, associated with the EC2 instance, to the --groups command parameter (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-12345678901234567
  --groups sg-0abcd1234abcd1234

09 Repeat step no. 8 for each Amazon EC2 instance running within the app tier, available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

AWS Documentation
Security Groups for Your VPC
Amazon EC2 Security Groups for Linux Instances
CIS Amazon Web Services Foundations

AWS Command Line Interface (CLI) Documentation
ec2
describe-security-groups
describe-tags
create-security-group
authorize-security-group-ingress
create-tags
modify-instance-attribute

Publication date Jul 25, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related EC2 rules