Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Security Group Rules Counts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Status: Deprecated
Please note this rule has been deprecated from the Conformity system and should not be enabled. For more information on rule deprecation, see here. Since this rule was introduced, AWS have raised the default quotas for the number of allowed security group rules. The recommendation of limiting security group rules to a certain quota is no longer a recommended best practice. For further details on the latest security group quota, refer to the Amazon VPC quotas guide.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-015

Determine if there is a large number of security group rules assigned to an EC2 instance and reduce their number by removing any unnecessary or overlapping rules. To improve the instance network performance Cloud Conformity recommends a default value of 50 for the maximum number of inbound and outbound rules applied to an EC2 instance, however, this value is configurable so you can adjust it based on your requirements.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

Applying a large number of security group rules to an EC2 instance can impact its network performance and increase the latency when accessing the instance.

Audit

To determine if there are any EC2 instances with more than 50 inbound and outbound rules combined available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to examine.

05 Select the Description tab from the dashboard bottom panel.

06 In the right column, check the Security Groups attribute**value(s) to identify the name of the security group(s) associated with the selected instance. Copy the name of the associated security group(s).

07 In the navigation panel, under NETWORK & SECURITYsection, choose Security Groups.

08 Click inside the attributes filter box located under the dashboard top menu, select Group Name, paste the name of the EC2 security group copied at step no. 6 and press Enter. Repeat the step if the selected EC2 instance has more than one security groups assigned.

09 Click on the Show/Hide Columns button: http://goo.gl/MQ4vbG, select Inbound Rules Count and Outbound Rules Count attributes from the Security Group Attributes column and click Close.

10 Check the number of inbound and outbound rules defined for the selected security group(s), displayed in the Inbound Rules Count and Outbound Rules Count columns: http://goo.gl/hpqI9o. If the total number of inbound and outbound rules displayed is greater than 50, the security group(s) associated with the selected EC2 instance exceed(s) the recommended threshold for the number of rules defined, therefore the instance network performance can be degraded (see Remediation/Resolution section to remove any unnecessary rules).

11 Repeat steps no. 4 – 10 to determine the number of inbound and outbound rules applied to each EC2 instance available in the current region.

12 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all EC2 instances currently available in the selected region: 

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs: 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0b9e602c588ffba61  |
|  i-05a1691e53b1576c5  |
|  i-0d4cdfa00d01f7d6d  |
+-----------------------+

03 Run again describe-instances command (OSX/Linux/UNIX) using an instance ID returned at the previous step as identifier and custom output filtering to expose the ID(s) of the security group(s) associated with the selected EC2 instance: 

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-0b9e602c588ffba61
  --output table
  --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId'

04 The command output should return a table with the requested ID(s): 

------------------------
|DescribeSecurityGroups|
+----------------------+
|  sg-48016733         |
+----------------------+

05 Run describe-security-groups command (OSX/Linux/UNIX) using custom filtering to list all the rules defined for the selected security group:

  1. To list all the available inbound rules, run the following command: 
    aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-48016733
  --query 'SecurityGroups[*].IpPermissions[]'
  2. The command output should return the requested security group rules metadata: 
    [
	{
		"PrefixListIds": [],
		"FromPort": 80,
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"ToPort": 80,
		"IpProtocol": "tcp",
		"UserIdGroupPairs": []
	},

	...


	{
		"PrefixListIds": [],
		"FromPort": 22,
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"ToPort": 22,
		"IpProtocol": "tcp",
		"UserIdGroupPairs": []
	}


]
  3. To list all the available outbound rules, run the following command: 
    aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-48016733
  --query 'SecurityGroups[*].IpPermissionsEgress[]'
  4. The command output should return the requested security group rules metadata: 
    [

	{
		"PrefixListIds": [],
		"FromPort": 80,
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"ToPort": 80,
		"IpProtocol": "tcp",
		"UserIdGroupPairs": []
	},

	...

	{
		"PrefixListIds": [],
		"FromPort": 23,
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"ToPort": 23,
		"IpProtocol": "tcp",
		"UserIdGroupPairs": []
	}    
]

Each JSON object returned (highlighted) at step b. and d. represents an inbound/outbound rule metadata. If the number of metadata objects (rules) returned is greater than 50, the security group(s) associated with the selected EC2 instance exceed(s) the recommended threshold for the number of rules defined, therefore the instance network performance can be degraded.

06 Repeat steps no. 3 – 5 to determine the number of inbound and outbound rules applied to each EC2 instance available in the current region.

07 Repeat steps no. 1 – 6 to perform the entire audit process for other AWS regions.

Remediation / Resolution

To remove any unnecessary or overlapping inbound and outbound rules from the security group(s) associated with your EC2 instances, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITYsection, choose Security Groups.

04 Select the appropriate EC2 security group (see Audit section to identify the right one(s)) and perform the following actions:

  1. To remove security group rules based on the traffic source or destination, choose one of the following options:
    • For inbound/ingress rules, select the Inbound tab from the dashboard bottom panel and click the Edit button.
    • For outbound/egress rules, select the Outbound tab from the dashboard bottom panel and click the Edit button.
  2. In the Edit inbound rules dialog box, identify any unnecessary, obsolete or overlapping rules and remove each unwanted rule by clicking the x(delete) button next to the rule entry.
  3. Click Save to apply the changes.

05 Repeat step no. 4 to update other security groups that exceed the threshold set for the number of inbound and outbound rules, associated with the EC2 instances provisioned in the current region.

06 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the security group ID as identifier to remove any unnecessary inbound rules defined within the selected EC2 security group (the command does not return an output): 

aws ec2 revoke-security-group-ingress
  --region us-east-1
  --group-id sg-48016733
  --protocol tcp
  --port 23
  --cidr 52.110.53.205/32

02 Run revoke-security-group-egress command (OSX/Linux/UNIX) using the security group ID as identifier to remove any unnecessary outbound rules defined within the selected EC2 security group (the command does not produce an output): 

aws ec2 revoke-security-group-egress
  --region us-east-1
  --group-id sg-48016733
  --protocol tcp
  --port 23
  --cidr 52.110.53.205/32

03 Change the --protocol, --port and/or--cidrparameters value based on your requirements and repeat step no. 1 and 2 to remove any unnecessary, obsolete or overlapping rules defined for the selected security group.

04 Repeat steps no. 1 – 3 to update other EC2 security groups that exceed the threshold set for the number of inbound/outbound rules, associated with the EC2 instances provisioned in the current region.

05 Repeat steps no. 1 - 4 to implement the entire process for other AWS regions.

References

Publication date Jun 19, 2016

Related EC2 rules