Process for Security Group Management - Detection of new Security Groups

CloudGuard Newly Detected Groups Behavior should be set to Full protection or lock to enforce Security Groups management process

Risk Level: Medium
Cloud Entity: Region
CloudGuard Rule ID: D9.AWS.NET.22
Covered by Spectral: No
Category: Global

GSL LOGIC

Region should not have behavior='ReadOnly'

REMEDIATION

From Portal
In CloudGuard, there are two modes to manage Amazon AWS Security Groups:
a. Full Protection
b. Read-Only
Full Protection provides the CloudGuard administrator with full control of AWS security policy definition, access leases, and can interact with dynamic policy objects.

In Full Protection mode, you can manage an AWS Security Group only through CloudGuard. CloudGuard detects attempts to change a security group from the AWS environment (such as the AWS console), which starts Tamper Protection and can send an alert/notification. CloudGuard overrides the change that is made and reverts to the definition of the Security Group defined in CloudGuard. The alerts and notifications initiated from Tamper Protection occur when you start Full Protection for the necessary regions in your cloud account. CloudGuard locks down the configuration of the security groups in that region to make sure that the security group stays correctly configured.

To make a change in a Security Group that has Tamper Protection enabled, the change is made in CloudGuard. Use following steps to configure a Security Group that has Tamper Protection enabled.

  1. Navigate to the Security Groups page in the Network Security menu.
  2. Select the Security Group to be modified.
  3. Make the necessary changes to the Security Group (for example, add or change Inbound or Outbound services).
  4. Save the changes.

References

  1. https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Network-Security/FullProtectionMode.htm

Region

Each Amazon EC2 Region is designed to be completely isolated from the other Amazon EC2 Regions. This achieves the greatest possible fault tolerance and stability.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard Network Management
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST CSF v1.1
  • CloudGuard AWS All Rules Ruleset