Ensure every security groups rule has a description
The information provided as description can be used for multiple purposes such as EC2/application firewall auditing, security group rules management, third-party auditing, etc and would help in simplifying your operations and remove any opportunities for operator errors.You can add a description for the rule, which can help you identify it later. A description can be up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*.
Risk Level: Informational
Cloud Entity: AWS EC2 SecurityGroup
CloudGuard Rule ID: D9.CFT.OPE.20
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
AWS_EC2_SecurityGroup should not have ( SecurityGroupEgress with [ Description isEmpty() ] and SecurityGroupIngress with [ Description isEmpty() ])
REMEDIATION
From CFT
- Add a description to your ingress or egress rules.
- Use the property 'Description' in the rule for both AWS::EC2::SecurityGroup Egress and AWS::EC2::SecurityGroup Ingress.
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "What is the purpose of this Security Group"
SecurityGroupIngress:
...
Description : "What does this rule allow"
...
SecurityGroupEgress:
...
Description : "What does this rule allow"
...
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
AWS EC2 SecurityGroup
A Security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. AWS::EC2::SecurityGroup Specifies a security group. To create a security group, use the VpcId property to specify the VPC for which to create the security group.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago