Ensure that all the rules defined for your Amazon EC2 security groups have a description to help simplify your operations and remove any opportunities for operator errors. Adding descriptive text for security group rules will allow you to store locally useful information without the need to keep any documentation external and separated from the Amazon EC2 service. The information provided as description can be used for multiple purposes such as application firewall auditing, security group rules management, third-party auditing, and so on. A rule description can be up to 255 characters long and can be defined and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and using the AWS API.
This rule can help you with the following compliance standards:
- PCI
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
excellence
With security group rule descriptions, you simply gain more insight into the configuration of your instance firewall(s). You can define the purpose of the rule and the identity of the IP address next to the rule entry so it can be used for security group management (e.g. update source/destination IP addresses, remove obsolete rules, etc) and auditing (internal and external, compliance and forensic audits). As an administrator, you should know who has access (and why) to your EC2 instances and your applications without the need for asking for the required details all the time. Rule descriptions should be visible to AWS Support as well, as this could help resolve your EC2 related issues much faster.
Audit
To determine if your Amazon EC2 security groups implement descriptive text for the existing rules, perform the following actions:
Remediation / Resolution
To add descriptive text to your Amazon EC2 security group rules, perform the following actions:
References
- AWS Documentation
- Control traffic to resources using security groups
- Amazon EC2 Security Groups for Linux Instances
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- update-security-group-rule-descriptions-ingress
- update-security-group-rule-descriptions-egress
- AWS Blog(s)
- New – Descriptions for Security Group Rules
- CloudFormation Documentation
- Amazon Elastic Compute Cloud resource type reference
- Terraform Documentation
- AWS Provider