Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Security Group Name Prefixed With 'launch-wizard'

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-061

Ensure that Amazon EC2 instances provisioned in your AWS cloud account are not associated with security groups that have their name prefixed with "launch-wizard", in order to enforce using secure and custom security groups that exercise the Principle of Least Privilege (POLP).

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When a new Amazon EC2 security group is created, its default name value will be prefixed with "launch-wizard", unless specified otherwise. The problem with this security group is that it comes with the default configuration which allows inbound/ingress traffic on port 22 from any source (i.e. 0.0.0.0/0). Because a lot of Amazon EC2 instances are launched using a security group like this, it can increase opportunities for malicious activities such as hacking, brute-force or Denial-of-Service (DoS) attacks.

Audit

To determine if there are Amazon EC2 instances associated with security groups prefixed with "launch-wizard", perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Click inside the Find Instance by attribute or tag (case-sensitive) box located under Instances, select Security group name, choose Contains from Operators, type launch-wizard, and press Enter. This filtering technique will return only the Amazon EC2 instances associated with security groups prefixed with launch-wizard. If the filtering process returns one or more EC2 instances, there are security groups prefixed with launch-wizard in use within the current AWS region. As a result, the associated Amazon EC2 instances might use security groups with insecure configurations.

05 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances that are associated with security groups prefixed with "launch-wizard", available in the selected AWS cloud region: 

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance.group-name,Values=launch-wizard-*"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return an empty table if there are no security groups prefixed with launch-wizard and used by Amazon EC2 instances or a table populated with instance IDs if there are security groups prefixed with launch-wizard and associated with Amazon EC2 instances, as shown in the following example: 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
|  i-01234abcd1234abcd  |
+-----------------------+

If the describe-instances command output returns one or more instance IDs, there are security groups prefixed with launch-wizard in use within the selected AWS region. As a result, the associated Amazon EC2 instances might use security groups with insecure configurations.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To follow AWS cloud security best practices, implement the Principle of Least Privilege (POLP) by replacing the associated security groups, prefixed with launch-wizard, with custom security groups. To run the remediation process, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Replace the EC2 security group prefixed with 'launch-wizard'",
	"Resources":{
	"CustomEC2SecurityGroup" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"Properties" : {
			"GroupDescription" : "Admin EC2 Security Group",
			"GroupName" : "cc-custom-security-group",
			"VpcId" : "vpc-1234abcd",
			"SecurityGroupIngress" : [{
				"IpProtocol" : "tcp",
				"FromPort" : 22,
				"ToPort" : 22,
				"CidrIp" : "10.0.0.5/32"
			}],
			"SecurityGroupEgress" : [{
				"IpProtocol" : "-1",
				"FromPort" : 0,
				"ToPort" : 65535,
				"CidrIp" : "0.0.0.0/0"
			}]
			}
		},
		"EC2Instance":{
			"Type":"AWS::EC2::Instance",
			"Properties":{
			"ImageId":"ami-0abcd1234abcd1234",
			"InstanceType":"t3.micro",
			"KeyName":"ssh-key",
			"SubnetId":"subnet-abcd1234",
			"SecurityGroupIds":[
				{
					"Ref":"CustomEC2SecurityGroup"
				}
			]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Replace the EC2 security group prefixed with 'launch-wizard'
	Resources:
		CustomEC2SecurityGroup:
		Type: AWS::EC2::SecurityGroup
		Properties:
			GroupDescription: Admin EC2 Security Group
			GroupName: cc-custom-security-group
			VpcId: vpc-1234abcd
			SecurityGroupIngress:
			- IpProtocol: tcp
				FromPort: 22
				ToPort: 22
				CidrIp: 10.0.0.5/32
			SecurityGroupEgress:
			- IpProtocol: '-1'
				FromPort: 0
				ToPort: 65535
				CidrIp: '0.0.0.0/0'
		EC2Instance:
		Type: AWS::EC2::Instance
		Properties:
			ImageId: ami-0abcd1234abcd1234
			InstanceType: t3.micro
			KeyName: ssh-key
			SubnetId: subnet-abcd1234
			SecurityGroupIds:
			- !Ref 'CustomEC2SecurityGroup'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

# Create the replacement EC2 security group
resource "aws_security_group" "ec2-security-group" {
	name        = "cc-custom-security-group"
	description = "Admin EC2 Security Group"
	vpc_id      = "vpc-1234abcd"

	ingress {
		from_port        = 22
		to_port          = 22
		protocol         = "tcp"
		cidr_blocks      = ["10.0.0.5/32"]
	}

	egress {
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}

}

# Replace the security group prefixed with 'launch-wizard' with the custom one for the specified instance
resource "aws_instance" "ec2-instance" {

	ami = "ami-0abcd1234abcd1234"
	instance_type = "t3.micro"
	key_name = "ssh-key"
	subnet_id = "subnet-abcd1234"
	vpc_security_group_ids = [ aws_security_group.ec2-security-group.id ]

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to replace, prefixed with launch-wizard.

05 Choose Actions, select Copy to new security group, and perform the following actions:

  1. For Security group name box, enter a unique name for your new custom security group.
  2. For Description, provide a short description to reflect the security group usage.
  3. For VPC, select the VPC network in which you want to deploy the new security group.
  4. In the Inbound rules section, review and configure the inbound rules copied automatically from the source security group. Ensure that none of the existing inbound rules allow unrestricted traffic (i.e., 0.0.0.0/0 or ::/0) unless it is mandatory.
  5. In the Outbound rules section, review and configure the outbound rules copied automatically from the default security group.
  6. (Optional) For Tags – optional, choose Add tag to create and apply user-defined tags to the new security group.
  7. Choose Create security group to create your new, compliant Amazon EC2 security group.

06 Replace the security group prefixed with launch-wizard, with the new (custom) one within your Amazon EC2 instance configuration. To replace the required security group, perform the following actions:

  1. In the left navigation panel, under Instances, choose Instances.
  2. Select the Amazon EC2 instance that you want to configure.
  3. Choose Actions, select Security, choose Change security groups, and perform the following operations:
    1. In the Associated security groups section, choose Remove next to the security group prefixed with launch-wizard to remove the non-compliant security group from your instance configuration.
    2. Click inside the Select security groups box, select the custom security group created in step no 5, and choose Add security group. The new, compliant security group will replace the non-compliant one.
    3. Choose Save to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each Amazon EC2 security group that you want to replace, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with custom output filters to describe the configuration of the Amazon EC2 security group that you want to replace, prefixed with launch-wizard: 

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=group-name,Values='launch-wizard-3'

02 The command output should return the requested configuration information: 

{
	"SecurityGroups": [
		{
			"Description": "launch-wizard-3 created 2025-06-09T10:30:00.000+00:00",
			"GroupName": "launch-wizard-3",
			"IpPermissions": [
				{
					"FromPort": 22,
					"IpProtocol": "tcp",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"ToPort": 22,
					"UserIdGroupPairs": []
				}
			],
			"OwnerId": "123456789012",
			"GroupId": "sg-01234abcd1234abcd",
			"IpPermissionsEgress": [
				{
					"IpProtocol": "-1",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"UserIdGroupPairs": []
				}
			],
			"VpcId": "vpc-01234abcd1234abcd"
		}
	]
}

03 Run create-security-group command (OSX/Linux/UNIX) to create a new custom security group that will replace the one prefixed with launch-wizard, described in the previous step: 

aws ec2 create-security-group
	--region us-east-1
	--group-name cc-custom-security-group
	--description "Admin EC2 Security Group"
	--vpc-id vpc-01234abcd1234abcd

04 The command output should return the ID of the new, custom security group: 

{
	"GroupId": "sg-0abcdabcdabcdabcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) with the ID of the newly created security group as the identifier parameter, to transfer the inbound information from the non-compliant security group to the new (custom) security group. Run the authorize-security-group-ingress command as many times as needed and change the --protocol, --port and --cidr parameter values in order to create all the inbound rules defined for the non-compliant security group (the command output should return true if the command request succeeds): 

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-0abcdabcdabcdabcd
	--protocol tcp
	--port 22
	--cidr 10.0.0.5/32
	--query 'Return'

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) with the ID of the newly created security group as the identifier parameter, to transfer the outbound information from the non-compliant security group to the new, custom security group. Run the authorize-security-group-egress command as many times as needed and change the --ip-permissions parameter values in order to create all the outbound/egress rules defined for the non-compliant security group (the command output should return true if the command request succeeds): 

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-0abcdabcdabcdabcd
	--ip-permissions '[{"IpProtocol": "-1", "FromPort": -1, "ToPort": -1, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'
	--query 'Return'

07 Run modify-instance-attribute command (OSX/Linux/UNIX) with the ID of the Amazon EC2 that you want to configure as the identifier parameter, to replace the security group prefixed with launch-wizard, with the custom one created in step no. 3. Ensure that you add any other compliant security groups, associated with the EC2 instance, to the --groups command parameter (if successful, the command does not produce an output): 

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-0abcdabcdabcdabcd
	--groups sg-01234abcd1234abcd sg-0abcdabcdabcdabcd

08 Repeat steps no. 1 – 7 for each Amazon EC2 security group that you want to replace, available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 2, 2017

Related EC2 rules