Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Descriptions for Security Group Rules

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-059

Ensure that all the rules defined for your Amazon EC2 security groups have a description to help simplify your operations and remove any opportunities for operator errors. Adding descriptive text for security group rules will allow you to store locally useful information without the need to keep any documentation external and separated from the Amazon EC2 service. The information provided as description can be used for multiple purposes such as application firewall auditing, security group rules management, third-party auditing, and so on. A rule description can be up to 255 characters long and can be defined and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and using the AWS API.

This rule can help you with the following compliance standards:

  • PCI

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Operational
excellence

With security group rule descriptions, you simply gain more insight into the configuration of your instance firewall(s). You can define the purpose of the rule and the identity of the IP address next to the rule entry so it can be used for security group management (e.g. update source/destination IP addresses, remove obsolete rules, etc) and auditing (internal and external, compliance and forensic audits). As an administrator, you should know who has access (and why) to your EC2 instances and your applications without the need for asking for the required details all the time. Rule descriptions should be visible to AWS Support as well, as this could help resolve your EC2 related issues much faster.


Audit

To determine if your Amazon EC2 security groups implement descriptive text for the existing rules, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the security group that you want to examine and choose the Inbound rules/Outbound rules tab from the console bottom panel to access the inbound/outbound rules created for the selected group.

05 Check the text value available in the Description - optional column for any configured inbound/outbound rule to identify the rule description. If there are inbound/outbound rules without any description assigned, the selected Amazon EC2 security group does not have text descriptions defined for all the existing rules, therefore the resource configuration does not adhere to security and operational excellence best practices.

06 Repeat steps no. 4 and 5 to verify other Amazon EC2 security groups available in the selected region for descriptive text assigned to inbound/outbound rules.

07 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the Amazon EC2 security groups available in the selected AWS cloud region:

aws ec2 describe-security-groups
  --region us-east-1
  --query 'SecurityGroups[*].GroupId'
  --output table

02 The command output should return a table with the requested identifiers (IDs):

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-012341234abcdabcd  |
|  sg-0abcdabcd12341234  |
|  sg-0abcd1234abcd1234  |
+------------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to examine as the identifier parameter, to list the inbound and outbound rule(s) defined for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd
  --query 'SecurityGroups[*].[IpPermissions,IpPermissionsEgress]'

04 The command output should return the requested configuration information:

[
	[
		{
			"FromPort": 80,
			"IpProtocol": "tcp",
			"IpRanges": [
				{
					"CidrIp": "0.0.0.0/0"
				}
			],
			"Ipv6Ranges": [],
			"PrefixListIds": [],
			"ToPort": 80,
			"UserIdGroupPairs": []
		},
		{
			"FromPort": 22,
			"IpProtocol": "tcp",
			"IpRanges": [
				{
					"CidrIp": "10.0.0.5/32"
				}
			],
			"Ipv6Ranges": [],
			"PrefixListIds": [],
			"ToPort": 22,
			"UserIdGroupPairs": []
		}
	],
	[
		{
			"IpProtocol": "-1",
			"IpRanges": [
				{
					"CidrIp": "0.0.0.0/0",
					"Description": "Allow all outgoing traffic"
				}
			],
			"Ipv6Ranges": [],
			"PrefixListIds": [],
			"UserIdGroupPairs": []
		}
	]
]

Check the "IpRanges"/"Ipv6Ranges" block for each inbound and outbound rule configured for the selected security group to determine if each rule has a text description. If there are inbound/outbound rules without any "Description" properties, as shown in the example above, the selected Amazon EC2 security group does not have text descriptions defined for all the existing rules, therefore the resource configuration does not adhere to security and operational excellence best practices.

05 Repeat step no. 3 and 4 to check other Amazon EC2 security groups available in the selected region for descriptive text assigned to inbound/outbound rules.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the remediation process for other regions.

Remediation / Resolution

To add descriptive text to your Amazon EC2 security group rules, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion":"2010-09-09",
    "Description":"Add descriptive text to EC2 security group inbound/outbound rules",
    "Resources":{
        "EC2EC2SecurityGroup" : {
            "Type" : "AWS::EC2::SecurityGroup",
            "Properties" : {
                "GroupDescription" : "Admin EC2 Security Group",
                "GroupName" : "cc-ec2-security-group",
                "VpcId" : "vpc-1234abcd",
                "SecurityGroupIngress" : [{
                "Description" : "Admin (SSH) access from the Melbourne office",
                "IpProtocol" : "tcp",
                "FromPort" : 22,
                "ToPort" : 22,
                "CidrIp" : "10.0.0.5/32"
                }],
                "SecurityGroupEgress" : [{
                "Description" : "Allow all outgoing traffic",
                "IpProtocol" : "-1",
                "FromPort" : 0,
                "ToPort" : 65535,
                "CidrIp" : "0.0.0.0/0"
                }]
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Add descriptive text to EC2 security group inbound/outbound rules
	Resources:
		EC2EC2SecurityGroup:
		Type: AWS::EC2::SecurityGroup
		Properties:
			GroupDescription: Admin EC2 Security Group
			GroupName: cc-ec2-security-group
			VpcId: vpc-1234abcd
			SecurityGroupIngress:
			- Description: Admin (SSH) access from the Melbourne office
				IpProtocol: tcp
				FromPort: 22
				ToPort: 22
				CidrIp: 10.0.0.5/32
			SecurityGroupEgress:
			- Description: Allow all outgoing traffic
				IpProtocol: '-1'
				FromPort: 0
				ToPort: 65535
				CidrIp: '0.0.0.0/0'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

# Add descriptive text to EC2 security group inbound/outbound rules
resource "aws_security_group" "custom-security-group" {
	name        = "cc-ec2-security-group"
	description = "Admin EC2 Security Group"
	vpc_id      = "vpc-1234abcd"

	ingress {
		description      = "Admin (SSH) access from the Melbourne office"
		from_port        = 22
		to_port          = 22
		protocol         = "tcp"
		cidr_blocks      = ["10.0.0.5/32"]
	}

	egress {
		description      = "Allow all outgoing traffic"
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to update.

05 Select the Inbound/Outbound rules tab from the console bottom panel and choose Edit inbound/outbound rules.

06 On the Edit inbound/outbound rules configuration page, provide a descriptive text for each existing rule in the Description – optional box. The rule description can be up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces and ._-:/()#,@[]+=;{}!$. Choose *Save rules to apply the changes.

07 Repeat steps no. 4 – 6 to add inbound/outbound rule descriptions for other Amazon EC2 security groups available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-security-group-rule-descriptions-ingress command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to reconfigure as the identifier parameter, to add/update the description of an inbound rule defined for the selected security group:

aws ec2 update-security-group-rule-descriptions-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "10.0.0.5/32", "Description": "Admin access from the Melbourne office."}]}]'

02 The command output should return **true** if the request succeeds, otherwise it should return an error:

true

03 Run update-security-group-rule-descriptions-egress command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to reconfigure as the identifier parameter, to add/update the description of an outbound/egress rule defined for the selected security group:

aws ec2 update-security-group-rule-descriptions-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0", "Description": "Allow all outgoing traffic."}]}]'

04 The command output should return true if the request succeeds, otherwise it should return an error:

true

05 Repeat steps no. 1 – 4 to add inbound/outbound rule descriptions for other Amazon EC2 security groups available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the remediation process for other regions.

References

Publication date Oct 17, 2017