Logo of Trend Micro

Security Group Excessive Counts

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: EC2-012

Determine if there is a large number of EC2 security groups available within each AWS regions and reduce their number by removing any unnecessary or obsolete security groups. To maintain optimal access security at the instance level, Cloud Conformity recommends two threshold values of 50 (Large) and 100 (Excessive) for the maximum number of security groups available per region. Besides these two (default) values recommended, you have the capability to adjust the threshold based on your requirements.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Using a large number of EC2 security groups can increase opportunities for malicious activity as creating and managing multiple security groups can increase the risk of accidentally allowing unrestricted access.

Note: The threshold for the maximum number of security groups per AWS region set for this guide is 50 (Large).

Audit

To determine if there are more than 50 EC2 security groups available within an AWS region, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Check the total number of EC2 security groups available in the current AWS region, listed in the top-right section of the dashboard, e.g.

Check the total number of EC2 security groups available in the current AWS region, listed in the top-right section of the dashboard

If the total number of security groups available is greater than 50, the recommended threshold was exceeded, therefore you must take actions to remove any unnecessary or overlapping security groups created within the current region (see Remediation/Resolution section).

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using appropriate filtering to list the names of all EC2 security groups available in the selected region: 

aws ec2 describe-security-groups
	--region us-east-1
	--output table
	--query 'SecurityGroups[*].GroupName'

02 The command output should return a table with the requested names. Each table row returned represents an individual security group. If the total number of rows in your table is greater than 50, the recommended limit threshold was exceeded, therefore you must take actions to remove any unnecessary or overlapping security groups created within the current region. 

-------------------------------------
|      DescribeSecurityGroups       |
+-----------------------------------+
|  MySQL Database Security Group    |
|  EMR Fleet Security Group         |
|  default                          |
|                                   |
|   ...                             |
|                                   |
|  launch-wizard-13                 |
|  Web App EC2 LAMP Security Group  |
|  Web Tier LNMP Security Group     |
+-----------------------------------+

03 Repeat step no. 1 and 2 to perform the audit process for other AWS regions.

Remediation / Resolution

To remove any unnecessary or obsolete EC2 security groups from an AWS region, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the unnecessary/obsolete EC2 security group that you want to remove (regardless of the platform on which this was created - EC2-VPC or EC2-Classic).

05 Click the Actions dropdown button from the dashboard top menu and select Delete Security Group.

06 In the Delete Security Group dialog box, review the security group details (ID and name) and click Yes, Delete to confirm the action. Once the selected security group is removed from your account, the EC2 security group list is updated.

07 Repeat steps no. 4 – 6 to remove any other unnecessary EC2 security groups available in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run delete-security-group command (OSX/Linux/UNIX) using the security group ID (EC2-VPC) or name (EC2-Classic) as identifier to remove any unnecessary/obsolete EC2 security groups within the selected AWS region (if the command succeeds, no output is returned):

  1. To delete an EC2 security group created within EC2-Classic run the following command: 
    aws ec2 delete-security-group
	--region us-east-1
	--group-name launch-wizard-15
  2. To delete an EC2 security group created within EC2-VPC run the following command: 
    aws ec2 delete-security-group
	--region us-east-1
	--group-id sg-fa7a1981

02 Repeat step no. 1 to remove any other unnecessary EC2 security groups available in the current region.

03 Repeat step no. 1 and 2 to implement the entire process for other AWS regions.

References

Publication date Jun 19, 2016

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Security Group Excessive Counts

Risk level: Medium