Security Groups must be defined under a Virtual Private Cloud

All security groups must be associated with a VPC, EC2 Classic not allowed. VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.

Risk Level: Low
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.13
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

SecurityGroup where not name='default' should have vpc

REMEDIATION

From Portal:
If you want your instances in your VPC to have the same security group rules as your EC2-Classic instances, you can use the Amazon EC2 console to copy your existing EC2-Classic security group rules to a new VPC security group. You can copy any security group from EC2-Classic to your VPC that meets the requirements. Default security groups cannot be deleted and will be removed on your behalf when EC2-Classic is retired. You can only copy security group rules to a new security group in the same AWS account in the same Region. If you are using a different Region or a different AWS account, you must create a new security group and manually add the rules yourself. For more information, see Amazon EC2 security groups for Linux instances.

Prerequisites: Before you begin copying your security groups, you should check for rules in which your EC2-Classic security groups reference another security group in EC2-Classic. You should remove these rules as they can't be copied into a VPC. For more information, see Delete rules from a security group.

Use following steps to copy your security group rules to a new security group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. In the navigation pane, choose Security Groups.
  3. Select the security group that's associated with your EC2-Classic instance, then choose Actions, and select Copy to new security group.
  4. In the Copy to new security group dialog box, specify a name and description for your new security group. Select your VPC from the VPC list.
  5. Under Inbound rules, the fields are populated with the rules from your EC2-Classic security group. You can modify the rules as required. Under Outbound rules, a rule that allows all outbound traffic has automatically been created for you. For more information about modifying security group rules, see Amazon EC2 security groups for Linux instances.
    Important: You must remove any rules that reference a security group in EC2-Classic, because you can't reference an EC2-Classic security group from a VPC security group. You can add similar rules after you copy the security group to your VPC.
  6. Choose Create security group.

From Command Line:

  1. Run following command to describe the configuration of the default security group.
aws ec2 describe-security-groups --region us-east-1 --filters Name=group-name,Values='default'
  1. Run following command to create a new custom security group under VPC, this will replace the default security group.
aws ec2 create-security-group --region region_name --group-name security_group_name --description example_description --vpc-id vpc_id
  1. Run following command using newly created security group ID as the identifier parameter, to transfer the inbound information from the default security group to the new security group.
aws ec2 authorize-security-group-ingress --region region_name --group-id security_group_id --protocol protocol_name --port port_name --cidr cidr_value
  1. Run following command using newly created security group ID as the identifier parameter, to transfer the outbound information from the default security group to the new security group.
aws ec2 authorize-security-group-egress --region region_name --group-id security_group_id --protocol protocol_name --port port_name --cidr cidr_value
  1. Run following command using the Amazon EC2 ID that you want to reconfigure, to replace the default security group with the custom one. Make sure to add any other compliant security groups, associated with the EC2 instance under the --groups parameter.
aws ec2 modify-instance-attribute --region region_name --instance-id ID_value --groups default_security_group_id custom_security_group_id

References:

  1. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-migrate.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-security-groups.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-security-group.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-egress.html
  7. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-instance-attribute.html

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • CloudGuard AWS All Rules Ruleset