Remove Unused Security Groups that are open to all

A security group should always have attached protected assets. Removing Unused Security Groups that are open to all, is the expected outcome of the firewall and router rule sets review.

Risk Level: Medium
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.57
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

SecurityGroup where networkAssetsStats contain-all [ count = 0 ] or networkInterfaces isEmpty() should not have inboundRules with [ scope='0.0.0.0/0' and portTo=0]

REMEDIATION

From Portal:
Use following steps to delete the unused security group.

  1. Note down the unused Security Groups detected by the CloudGuard Report.
  2. Go to EC2 console and navigate to security groups.
  3. Select all the security groups and click on 'Actions'.
  4. Click on 'Delete security groups'.

Use following steps to delete the identified inbound rules where the scope is set to 0.0.0.0/0 and port 0..

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
  2. In the left pane, click Security Groups
  3. For each security group, perform the following:
  4. Select the security group to update, choose Actions, and then choose Edit inbound rules to remove an inbound rule or Edit outbound rules to remove an outbound rule.
  5. Choose the Delete button to the right of the rule to delete.
  6. Choose Preview changes, Confirm.

From Command Line:
Identify the security group open to all and run the following command to delete an EC2 security group created within EC2-Classic.

aws ec2 delete-security-group --region region_name --group-name security_group_name

Identify the security group open to all and run the following command to delete an EC2 security group created within EC2-VPC.

aws ec2 delete-security-group --region region_name --group-id security_group_id

References:

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#deleting-security-group-rule
  2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#deleting-security-group
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-security-group.html

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset