Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Security Group Excessive Counts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-012

Determine if there is a large number of Amazon EC2 security groups available within your AWS cloud account and reduce their number by removing any unnecessary or obsolete security groups. To maintain optimal access security at the instance level, Trend Cloud One™ – Conformity recommends two threshold values of 50 (Large) and 100 (Excessive) for the maximum number of security groups available per AWS region. You can also adjust the threshold based on your requirements.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Sustainability

Using a large number of Amazon EC2 security groups can increase opportunities for malicious activities because creating and managing multiple security groups can increase the risk of accidentally allowing unrestricted access.

Note: The default threshold for the maximum number of security groups per AWS region used by this conformity rule is 100 (Excessive).


Audit

To determine if there are more than 100 Amazon EC2 security groups available within an AWS cloud region, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Check the total number of Amazon EC2 security groups available within the current AWS cloud region, listed in the top-left section of the console, i.e. Security Groups (<number-of-security-groups>). If the total number of Amazon EC2 security groups within the region is greater than 100, the default (recommended) threshold was exceeded, therefore you must take action and remove any unnecessary or overlapping EC2 security groups from your AWS cloud account.

05 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to list the identifiers (IDs) of all the Amazon EC2 security groups available in the selected AWS cloud region:

aws ec2 describe-security-groups
  --region us-east-1
  --output table
  --query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested security group ID(s):

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
|  sg-0abcdabcdabcdabcd  |
|  sg-01234123412341234  |
|          ...           |
|  sg-0abcdabcd12341234  |
|  sg-012341234abcdabcd  |
|  sg-0123412341234abcd  |
|  sg-0abcd123412341234  |
+------------------------+

Each table row returned by the describe-security-groups command output represents an individual Amazon EC2 security group. If the total number of rows in your output table is greater than 100, the default (recommended) threshold was exceeded, therefore you must take action and remove any unnecessary or overlapping Amazon EC2 security groups from your AWS cloud account.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To remove any unnecessary or obsolete Amazon EC2 security groups from your AWS cloud account, perform the following operations:

Note: If you attempt to delete an Amazon EC2 security group that is associated with an instance, or is referenced by another security group, the delete operation fails.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the unnecessary Amazon EC2 security group that you want to delete (see the Audit section part I section to identify the right resource).

05 Click on the Actions dropdown menu from the console top-right menu and choose Delete security group.

06 Inside the Delete security groups confirmation box, review the resource details, then choose Delete to remove the selected Amazon EC2 security group from the current AWS region. After the selected security group is removed from your AWS cloud account, the Security Groups list is updated.

07 Repeat steps no. 4 – 6 to remove other unnecessary or obsolete Amazon EC2 security groups from the current AWS region.

08 Change the AWS region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run delete-security-group command (OSX/Linux/UNIX) using the ID (EC2-VPC) or the name (EC2-Classic) of the Amazon EC2 security group that you want to delete as the identifier parameter (see the Audit section part II section to identify the right resource), to remove the specified EC2 security group from the selected AWS cloud region. If the delete-security-groupcommand request succeeds, no output is returned:

  1. To delete an Amazon EC2 security group created within EC2-Classic run the following command:
    aws ec2 delete-security-group
      --region us-east-1
      --group-name cc-project5-web-security-group
    
  2. To remove an Amazon EC2 security group created within EC2-VPC run the following command:
    aws ec2 delete-security-group
      --region us-east-1
      --group-id sg-01234abcd1234abcd
    

02 Repeat step no. 1 to remove other unnecessary or unused Amazon EC2 security groups from the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Nov 3, 2022