Remove Unused Security Groups

A security group should always have attached protected assets. Removing Unused Security Groups is the expected outcome of the firewall and router rule sets review.

Risk Level: Low
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.15
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

SecurityGroup where name != 'default' should not have networkAssetsStats contain-all [ count = 0 ] and networkInterfaces isEmpty()

REMEDIATION

From Portal

  1. Note down the unused Security Groups detected by the CloudGuard Report.
  2. Go to EC2 console and navigate to security groups.
  3. Select all the security groups and click on 'Actions'.
  4. Click on 'Delete security groups'.

Note: Security groups that are attached to instances or containing any network assets are used and should not be deleted.

From Command Line
Run the following command to delete an EC2 security group created within EC2-Classic.

aws ec2 delete-security-group --region REGION_NAME --group-name SECURITY_GROUP_NAME

Run the following command to delete an EC2 security group created within EC2-VPC.

aws ec2 delete-security-group --region REGION_NAME --group-id SECURITY_GROUP_ID

Note: The above example deletes the security group with the ID. You can not reference a security group for EC2-VPC by name.

References

  1. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
  2. https://docs.aws.amazon.com/cli/latest/userguide/cli-services-ec2-sg.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-security-group.html

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • CloudGuard AWS All Rules Ruleset