Web-Tier Security Group

Risk Level: Medium (should be achieved)

Ensure there is an Amazon EC2 security group created and configured for the web tier to allow inbound traffic directly from the web-tier load balancer security group for the required ports, in order to secure the access to the backend EC2 instances. This conformity rule assumes that all the AWS resources created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the web-tier tags must be configured in the rule settings, on your Conformity account console.

Security

A security group operates as a virtual firewall that controls the traffic for your Amazon EC2 instances. To protect the instances within your web tier from unauthorized access, an explicit security group must be created and configured to secure access by adding inbound rules that allow traffic for specific protocols and ports, by referencing as source the security group associated with the web-tier load balancer.

Note: Make sure that you replace all `<web_tier_tag>:<web_tier_tag_value>` tag placeholders outlined in the conformity rule content with your own tag set created for the web tier.

Audit

To determine if there is an Amazon EC2 security group created and configured exclusively for the web tier, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Web-Tier Security Group conformity rule settings, and identify the tag set defined for the AWS cloud resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Network & Security, choose Security Groups.

05 Click inside the Filter security groups box located under the console top menu, and choose the tag set defined for your web-tier resources, identified at step no. 1, from the Tags list. This filtering technique will return only the security groups tagged for the web tier. If the web-tier tag is not included in the Tags list, there are no security groups tagged within your web tier and the Audit process ends here. If the web-tier tag is included in the Tags list and the Amazon EC2 console returns one or more security groups, continue the Audit process with the next step.

06 Select the security group that you want to examine.

07 Choose the Inbound rules tab from the console bottom panel and check the values available in the Protocol, Port range, and Source columns for each configured inbound rule. For compliance, the security group must allow inbound connections on TCP ports 80 (HTTP) and/or 443 (HTTPS) from the security group associated with the web-tier load balancer. If there are no inbound rules that allow traffic from the load balancer security group on TCP ports 80 and/or 443, the selected Amazon EC2 security group is not considered a compliant web-tier security group.

08 Repeat steps no. 6 and 7 for each Amazon EC2 security group returned as result at step no. 5.

09 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

02 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to describe the ID of each Amazon EC2 security group available in the selected AWS region:

aws ec2 describe-security-groups
  --region us-east-1
  --output table
  --query 'SecurityGroups[*].GroupId'

03 The command output should return a table with the requested security group ID(s):

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
+------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to examine as the identifier parameter and custom query filters to describe the tags defined for the selected security group:

aws ec2 describe-tags
  --region us-east-1
  --filters "Name=resource-id,Values=sg-01234abcd1234abcd"
  --query 'Tags[*].{Value:Value, Key:Key}'

05 The describe-tags command should return one of the following outputs:

If the command output returns an empty array (i.e. []), as shown in the example below, the verified security group is not tagged, therefore the Audit process for the selected resource ends here:
```
[]
```
If the describe-tags command output returns a tag set that is different from the one identified at step no. 1, as shown in the example below, the verified security group does not belong to your web tier, therefore the Audit process for the selected resource ends here:
```
[
	{
		"Value": "Environment",
		"Key": "Production"
	}
]
```
If the command output returns a tag set that matches the one identified at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified security group is tagged as a web-tier resource, therefore the Audit process continues with the next step:
```
[
	{
		"Key": "<web_tier_tag>",
		"Value": "<web_tier_tag_value>"
	}
]
```

06 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the security group that you want to examine as the identifier parameter, to list all the inbound/ingress rules defined for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd
  --query 'SecurityGroups[*].IpPermissions[]'

07 The command output should return the requested configuration information:

[
	{
		"FromPort": 80,
		"IpProtocol": "tcp",
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"Ipv6Ranges": [],
		"PrefixListIds": [],
		"ToPort": 80,
		"UserIdGroupPairs": []
	}
]

Check the "IpProtocol", "FromPort", "ToPort", and "UserIdGroupPairs" attribute values returned by the describe-security-groups command output for each inbound rule. For compliance, the web-tier security group must allow inbound connections on TCP ports 80 (HTTP) and/or 443 (HTTPS) from the security group associated with the web-tier load balancer. If there are no inbound rules that allow traffic from the load balancer security group, i.e. "UserIdGroupPairs" attribute value, on TCP ports 80 and/or 443, the selected Amazon EC2 security group is not considered a compliant web-tier security group.

08 Repeat steps no. 6 and 7 for each EC2 security group available in the selected AWS cloud region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the audit process for other regions.

Remediation / Resolution

To create a compliant web-tier security group and configure it to allow inbound traffic from the security group associated with the web-tier load balancer, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Web-Tier Security Group conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Network & Security, choose Security Groups.

05 To replace the existing security group with a compliant web-tier security group and attach it to your web-tier instance(s), you must create and configure a new Amazon EC2 security group. To create the compliant security group, click on the Create security group button from the console top menu to initiate the setup process.

06 On the Create security group setup page, provide the following information:

For Security group name, provide a unique name for your new security group.
For Description, provide a short description that reflects the security group usage.
Choose the appropriate VPC network from the VPC dropdown list.
In the Inbound rules section, choose Add rule to define the inbound/ingress rule(s) required to allow access to the web-tier load balancer:
- Select HTTP or HTTPS from the Type dropdown list, depending on your web-tier load balancer listener configuration.
- Select Custom from the Source dropdown list and enter the ID of the security group associated with the web-tier load balancer:
- Provide a short description for the new inbound rule in the Description – optional box.
In the Tags – optional section, use the Add new tag button to apply the web-tier tag set copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>).
Choose Create security group to create your new, compliant web-tier security group.

07 Replace the non-compliant security group with the new web-tier security group within your Amazon EC2 instance(s) configuration. To replace the required resource, perform the following actions:

In the navigation panel, under Instances, choose Instances.
Select the Amazon EC2 instance that you want to reconfigure.
Click on the Actions dropdown menu from the console top menu, select Security, and choose Change security groups.
On the Change security groups page, perform the following commands:
- In the Associated security groups section, choose Remove next to the non-compliant security group to remove the group from your EC2 instance configuration.
- Click inside the Select security groups box, select the web-tier security group created at step no 6, and choose Add security group.
- Choose Save to apply the configuration changes.

08 Repeat step no. 7 for each Amazon EC2 instance running in the web tier, available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

02 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the security group that you want to replace as the identifier parameter, to describe the configuration metadata available for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd

03 The command output should return the requested configuration information:

{
	"SecurityGroups": [
		{
			"Description": "Allows Web Access",
			"GroupName": "cc-web-security-group",
			"IpPermissions": [
				{
					"FromPort": 80,
					"IpProtocol": "tcp",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"ToPort": 80,
					"UserIdGroupPairs": []
				}
			],
			"OwnerId": "123456789012",
			"GroupId": "sg-01234abcd1234abcd",
			"IpPermissionsEgress": [
				{
					"IpProtocol": "-1",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"UserIdGroupPairs": []
				}
			],
			"VpcId": "vpc-abcdabcd"
		}
	]
}

04 Run create-security-group command (OSX/Linux/UNIX) to create the compliant web-tier security group using the configuration information returned at the previous step:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-web-tier-security-group
  --description "Web-Tier Amazon EC2 Security Group"
  --vpc-id vpc-abcdabcd

05 The command output should return the ID of the new, custom security group:

{
	"GroupId": "sg-0abcdabcdabcdabcd"
}

06 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to create the inbound/ingress rule that allows traffic on TCP port 80/443 from the security group associated with your web-tier load balancer (the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --protocol tcp
  --port 80
  --source-group sg-0abcd1234abcd1234

07 Run create-tags command (OSX/Linux/UNIX) using the ID of the new web-tier security group as the identifier parameter, to create and apply the web-tier tag set copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>). Replace <web_tier_tag> and <web_tier_tag_value> with your own values (the command does not produce an output):

aws ec2 create-tags
  --region us-east-1
  --resources sg-0abcdabcdabcdabcd
  --tags Key=<web_tier_tag>,Value=<web_tier_tag_value>

08 Run modify-instance-attribute command (OSX/Linux/UNIX) using the ID of the web-tier Amazon EC2 instance that you want to reconfigure as the identifier parameter, to replace the non-compliant security group with the new web-tier security group within the instance configuration. Make sure that you add any other compliant security groups, associated with the EC2 instance, to the --groups command parameter (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-12345678901234567
  --groups sg-0abcdabcdabcdabcd

09 Repeat step no. 8 for each Amazon EC2 instance running within the web tier, available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

AWS Documentation
Amazon EC2 FAQs
Security Groups for Your VPC
Amazon EC2 Security Groups for Linux Instances
CIS Amazon Web Services Foundations

AWS Command Line Interface (CLI) Documentation
ec2
describe-security-groups
describe-tags
create-security-group
authorize-security-group-ingress
create-tags
modify-instance-attribute

Publication date Jul 6, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related EC2 rules