Data-Tier Security Group

Risk Level: Medium (should be achieved)

Ensure there is a security group created and configured for the data tier that grants inbound access from the app-tier security group on explicit TCP ports such as 3306 (MySQL, MariaDB, and Amazon Aurora), 1433 (MSSQL), 1521 (Oracle SQL) and 5432 (PostgreSQL), to secure the access to your database instances. This conformity rule assumes that all AWS resources created within your data tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> is the tag name and <data_tier_tag_value> is the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the data-tier tags must be configured in the rule settings, on your Conformity account console.

Security

To protect the database instances within your data tier from unauthorized access, a distinct security group must be created and configured to secure access by allowing traffic for specific protocols and ports by referencing as source the security group associated with your app-tier.

Note 1: The database type used as example in this conformity rule is MySQL (TCP port 3306), however, depending on your AWS application design, any other database types and ports would apply.
Note 2: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the data tier.

Audit

To determine if there is a security group created and configured exclusively for the data tier, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Data-Tier Security Group conformity rule settings, and identify the tag set defined for the AWS cloud resources available within your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Network & Security, choose Security Groups.

05 Click inside the Filter security groups box located under the console top menu, and choose the tag set defined for your data-tier resources, identified at step no. 1, from the Tags list. This filtering technique will return only the security groups tagged for the data tier. If the data-tier tag is not included in the Tags list, there are no security groups tagged within your data tier and the Audit process ends here. If the data-tier tag is included in the Tags list and the Amazon EC2 console returns one or more security groups, continue the Audit process with the next step.

06 Select the security group that you want to examine.

07 Choose the Inbound rules tab from the console bottom panel and check the values available in the Protocol,Port range, andSource columns for each configured inbound rule. For compliance, the security group must allow inbound connections on TCP port 3306 (MySQL) from the app-tier security group. If there are no inbound rules that allow traffic from the app-tier security group on TCP port 3306, the selected Amazon EC2 security group is not considered a compliant data-tier security group.

08 Repeat steps no. 6 and 7 for each security group returned as result at step no. 5.

09 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

02 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to describe the ID of each security group available in the selected AWS region:

aws ec2 describe-security-groups
  --region us-east-1
  --output table
  --query 'SecurityGroups[*].GroupId'

03 The command output should return a table with the requested security group ID(s):

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
+------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the security group that you want to examine as the identifier parameter and custom query filters to describe the tags defined for the selected security group:

aws ec2 describe-tags
  --region us-east-1
  --filters "Name=resource-id,Values=sg-01234abcd1234abcd"
  --query 'Tags[*].{Value:Value, Key:Key}'

05 The describe-tags command should return one of the following outputs:

If the command output returns an empty array (i.e. []), as shown in the example below, the verified security group is not tagged, therefore the Audit process for the selected resource ends here:
```
[]
```
If the describe-tags command output returns a tag set that is different from the one identified at step no. 1, as shown in the example below, the verified security group does not belong to your data tier, therefore the Audit process for the selected resource ends here:
```
[
	{
		"Value": "Environment",
		"Key": "Staging"
	}
]
```
If the command output returns a tag set that matches the one identified at step no. 1 (e.g. <data_tier_tag>:<data_tier_tag_value>), as shown in the example below, the verified security group is tagged as a data-tier resource, therefore the Audit process continues with the next step:
```
[
	{
		"Key": "<data_tier_tag>",
		"Value": "<data_tier_tag_value>"
	}
]
```

06 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the security group that you want to examine as the identifier parameter, to list all the inbound/ingress rules defined for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd
  --query 'SecurityGroups[*].IpPermissions[]'

07 The command output should return the requested configuration information:

[
	{
		"FromPort": 443,
		"IpProtocol": "tcp",
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"Ipv6Ranges": [],
		"PrefixListIds": [],
		"ToPort": 443,
		"UserIdGroupPairs": []
	}
]

Check the "IpProtocol", "FromPort","ToPort", and "UserIdGroupPairs" attribute values returned by the describe-security-groups command output for each inbound rule. For compliance, the data-tier security group must allow inbound connections on TCP port 3306 (MySQL) from the app-tier security group. If there are no inbound rules that allow traffic from the app-tier security group, i.e. "UserIdGroupPairs" attribute value, on TCP port 3306, the selected Amazon EC2 security group is not considered a compliant data-tier security group.

08 Repeat steps no. 6 and 7 for each EC2 security group available in the selected AWS cloud region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the audit process for other regions.

Remediation / Resolution

To create a compliant data-tier security group and configure it to allow inbound traffic from the app-tier security group, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Data-Tier Security Group conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Network & Security, choose Security Groups.

05 To replace the existing security group with a compliant data-tier security group and attach it to your database instance(s), you must create and configure a new security group. To create the compliant security group, click on the Create security group button from the console top menu to initiate the setup process.

06 On the Create security group setup page, provide the following information:

For Security group name, provide a unique name for your new security group.
For Description, provide a short description that reflects the security group usage.
Choose the appropriate VPC network from the VPC dropdown list.
In the Inbound rules section, choose Add rule to define the inbound/ingress rule(s) required to allow access to the data-tier instance(s):
- Select MYSQL/Aurora from the Type dropdown list to select the predefined inbound rule configuration available for MySQL-based databases.
- Select Custom from the Source dropdown list and enter the ID of the security group associated with your app-tier.
- Provide a short description for the new inbound rule in the Description – optional box.
In the Tags – optional section, use the Add new tag button to apply the data-tier tag set copied at step no. 1 (e.g. <data_tier_tag>:<data_tier_tag_value>).
Choose Create security group to create your new, compliant data-tier security group.

07 Replace the non-compliant security group with the new data-tier security group within your database instance(s) configuration. To replace the required resource, perform the following actions:

In the navigation panel, under Instances, choose Instances.
Select the MySQL database instance that you want to reconfigure.
Click on the Actions dropdown menu from the console top menu, select Security, and choose Change security groups.
On the Change security groups page, perform the following commands:
- In the Associated security groups section, choose Remove next to the non-compliant security group to remove the group from your EC2 instance configuration.
- Click inside the Select security groups box, select the data-tier security group created at step no 6, and choose Add security group.
- Choose Save to apply the configuration changes.

08 Repeat step no. 7 for each Amazon EC2 instance running in the data tier (i.e. database instance), available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

02 Run describe-security-groups ommand (OSX/Linux/UNIX) using the ID of the security group that you want to replace as the identifier parameter, to describe the configuration metadata available for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd

03 The command output should return the requested configuration information:

{
	"SecurityGroups": [
		{
			"Description": "Project5 Access SG",
			"GroupName": "cc-project5-security-group",
			"IpPermissions": [
				{
					"FromPort": 443,
					"IpProtocol": "tcp",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"ToPort": 443,
					"UserIdGroupPairs": []
				}
			],
			"OwnerId": "123456789012",
			"GroupId": "sg-01234abcd1234abcd",
			"IpPermissionsEgress": [
				{
					"IpProtocol": "-1",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"UserIdGroupPairs": []
				}
			],
			"VpcId": "vpc-abcdabcd"
		}
	]
}

04 Run create-security-group command (OSX/Linux/UNIX) to create the compliant data-tier security group using the configuration information returned at the previous step:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-data-tier-security-group
  --description "Data-Tier Security Group"
  --vpc-id vpc-abcdabcd

05 The command output should return the ID of the new, custom security group:

{
	"GroupId": "sg-0abcdabcdabcdabcd"
}

06 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to create the inbound/ingress rule that allows traffic on TCP port 3306 (MySQL) from the app-tier security group (the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --protocol tcp
  --port 80
  --source-group sg-0abcd1234abcd1234

07 Run create-tags command (OSX/Linux/UNIX) using the ID of the new data-tier security group as the identifier parameter, to create and apply the data-tier tag set copied at step no. 1 (e.g. <data_tier_tag>:<data_tier_tag_value>). Replace <data_tier_tag> and <data_tier_tag_value> with your own values (the command does not produce an output):

aws ec2 create-tags
  --region us-east-1
  --resources sg-0abcdabcdabcdabcd
  --tags Key=<data_tier_tag>,Value=<data_tier_tag_value>

08 Run modify-instance-attribute command (OSX/Linux/UNIX) using the ID of the MySQL database instance that you want to reconfigure as the identifier parameter, to replace the non-compliant security group with the new data-tier security group within the instance configuration. Make sure that you add any other compliant security groups, associated with the selected EC2 instance, to the --groups command parameter (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-12345678901234567
  --groups sg-0abcdabcdabcdabcd

09 Repeat step no. 8 for each Amazon EC2 instance running within the data tier (i.e. database instance), available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

AWS Documentation
Security Groups for Your VPC
Amazon EC2 Security Groups for Linux Instances
CIS Amazon Web Services Foundations

AWS Command Line Interface (CLI) Documentation
ec2
describe-security-groups
describe-tags
create-security-group
authorize-security-group-ingress
create-tags
modify-instance-attribute

Publication date Sep 5, 2016

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related EC2 rules