Risk Level: High
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.11
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

SecurityGroup should have isProtected = 'true'

REMEDIATION

From Portal
In CloudGuard, there are two modes to manage Amazon AWSClosed Security Groups:
a. Full Protection
b. Read-Only
Full Protection provides the CloudGuard administrator with full control of AWS security policy definition, access leases, and can interact with dynamic policy objects.

In Full Protection mode, you can manage an AWS Security Group only through CloudGuard. CloudGuard detects attempts to change a security group from the AWS environment (such as the AWS console), which starts Tamper Protection and can send an alert/notification. CloudGuard overrides the change that is made and reverts to the definition of the Security Group defined in CloudGuard. The alerts and notifications initiated from Tamper Protection occur when you start Full Protection for the necessary regions in your cloud account. CloudGuard locks down the configuration of the security groups in that region to make sure that the security group stays correctly configured.

To make a change in a Security Group that has Tamper Protection enabled, the change is made in CloudGuard. Use following steps to configure a Security Group that has Tamper Protection enabled.

Navigate to the Security Groups page in the Network Security menu.
Select the Security Group to be modified.
Make the necessary changes to the Security Group (for example, add or change Inbound or Outbound services).
Save the changes.

References

https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Network-Security/FullProtectionMode.htm

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

AWS CIS Controls V 8
AWS CSA CCM v.3.0.1
AWS CloudGuard Best Practices
AWS CloudGuard CheckUp
AWS CloudGuard Network Alerts for default VPC components
AWS CloudGuard Network Management
AWS CloudGuard Well Architected Framework
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
CloudGuard AWS All Rules Ruleset