Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Security Group Name Prefixed With 'launch-wizard'

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-061

Ensure that Amazon EC2 instances provisioned in your AWS cloud account are not associated with security groups that have their name prefixed with "launch-wizard", in order to enforce using secure and custom security groups that exercise the Principle of Least Privilege (POLP).

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When a new Amazon EC2 security group is created, its default name value will be prefixed with "launch-wizard", unless specified otherwise. The problem with this security group is that it comes with the default configuration which allows inbound/ingress traffic on port 22 from any source (i.e. 0.0.0.0/0). Because a lot of Amazon EC2 instances are launched using a security group like this, it can increase opportunities for malicious activities such as hacking, brute-force or Denial-of-Service (DoS) attacks.


Audit

To determine if there are Amazon EC2 instances associated with security groups prefixed with "launch-wizard", perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Click inside the Filter instances box located under the console top menu, choose Security group name, type launch-wizard, then press Enter. This filtering technique will return only the Amazon EC2 instances associated with the security groups prefixed with "launch-wizard". If the filtering process returns one or more EC2 instances, there are security groups prefixed with "launch-wizard" in use within the selected AWS region, therefore the associated Amazon EC2 instances might use security groups with insecure configurations.

05 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of the Amazon EC2 instances that are associated with security groups prefixed with "launch-wizard", available in the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --filters "Name=instance.group-name,Values=launch-wizard-*"
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return an empty table if there are no security groups prefixed with "launch-wizard" and used by EC2 instances or a table populated with instance IDs if there are security groups prefixed with "launch-wizard" and associated with Amazon EC2 instances, as shown in the following example:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
|  i-01234abcd1234abcd  |
+-----------------------+

If the describe-instances command output returns one or more instance IDs, there are security groups prefixed with "launch-wizard" in use within the selected region, therefore the associated Amazon EC2 instances might use security groups with insecure configurations.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To follow AWS cloud security best practices, implement the Principle of Least Privilege (POLP) by replacing the associated security groups, prefixed with "launch-wizard", with custom security groups. To run the remediation process, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Replace the EC2 security group prefixed with 'launch-wizard'",
	"Resources":{
	"CustomEC2SecurityGroup" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"Properties" : {
			"GroupDescription" : "Admin EC2 Security Group",
			"GroupName" : "cc-custom-security-group",
			"VpcId" : "vpc-1234abcd",
			"SecurityGroupIngress" : [{
				"IpProtocol" : "tcp",
				"FromPort" : 22,
				"ToPort" : 22,
				"CidrIp" : "10.0.0.5/32"
			}],
			"SecurityGroupEgress" : [{
				"IpProtocol" : "-1",
				"FromPort" : 0,
				"ToPort" : 65535,
				"CidrIp" : "0.0.0.0/0"
			}]
			}
		},
		"EC2Instance":{
			"Type":"AWS::EC2::Instance",
			"Properties":{
			"ImageId":"ami-0abcd1234abcd1234",
			"InstanceType":"t3.micro",
			"KeyName":"ssh-key",
			"SubnetId":"subnet-abcd1234",
			"SecurityGroupIds":[
				{
					"Ref":"CustomEC2SecurityGroup"
				}
			]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Replace the EC2 security group prefixed with 'launch-wizard'
	Resources:
		CustomEC2SecurityGroup:
		Type: AWS::EC2::SecurityGroup
		Properties:
			GroupDescription: Admin EC2 Security Group
			GroupName: cc-custom-security-group
			VpcId: vpc-1234abcd
			SecurityGroupIngress:
			- IpProtocol: tcp
				FromPort: 22
				ToPort: 22
				CidrIp: 10.0.0.5/32
			SecurityGroupEgress:
			- IpProtocol: '-1'
				FromPort: 0
				ToPort: 65535
				CidrIp: '0.0.0.0/0'
		EC2Instance:
		Type: AWS::EC2::Instance
		Properties:
			ImageId: ami-0abcd1234abcd1234
			InstanceType: t3.micro
			KeyName: ssh-key
			SubnetId: subnet-abcd1234
			SecurityGroupIds:
			- !Ref 'CustomEC2SecurityGroup'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

# Create the replacement EC2 security group
resource "aws_security_group" "ec2-security-group" {
	name        = "cc-custom-security-group"
	description = "Admin EC2 Security Group"
	vpc_id      = "vpc-1234abcd"

	ingress {
		from_port        = 22
		to_port          = 22
		protocol         = "tcp"
		cidr_blocks      = ["10.0.0.5/32"]
	}

	egress {
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}

}

# Replace the security group prefixed with 'launch-wizard' with the custom one for the specified instance
resource "aws_instance" "ec2-instance" {

	ami = "ami-0abcd1234abcd1234"
	instance_type = "t3.micro"
	key_name = "ssh-key"
	subnet_id = "subnet-abcd1234"
	vpc_security_group_ids = [ aws_security_group.ec2-security-group.id ]

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to replace, prefixed with "launch-wizard".

05 Click the Actions dropdown button from the console top menu and choose Copy to new security group.

06 On the Copy to new security group setup page, perform the following actions:

  1. In the Security group name box, enter a unique name for your new custom security group.
  2. In the Description box, provide a short description to reflect the security group usage.
  3. From the VPC dropdown list, select the VPC network in which to create the security group.
  4. In the Inbound rules section, review and (re)configure the inbound/ingress rules copied automatically from the source security group. Make sure that none of the existing inbound rules allow unrestricted traffic (i.e. 0.0.0.0/0 or ::/0) unless it's mandatory.
  5. In the Outbound rules section, review and (re)configure the outbound/egress rules copied automatically from the default security group.
  6. (Optional) For Tags – optional, use the Add tag button to create and apply user-defined tags to the new security group.
  7. Choose Create security group to create the new custom security group.

07 Replace the security group prefixed with "launch-wizard", with the new (custom) one within your Amazon EC2 instance(s) configuration. To replace the required security group, perform the following actions:

  1. In the navigation panel, under Instances, choose Instances.
  2. Select the Amazon EC2 instance that you want to reconfigure.
  3. Click on the Actions dropdown menu from the console top menu, select Security, and choose Change security groups.
  4. On the Change security groups page, perform the following commands:
    • In the Associated security groups section, choose Remove next to the security group prefixed with "launch-wizard", to remove the non-compliant security group from your EC2 instance configuration.
    • Click inside the Select security groups box, select the custom security group created at step no 6, and choose Add security group. The custom security group will replace the non-compliant one.
    • Choose Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each associated security group prefixed with "launch-wizard", available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to describe the configuration of the Amazon EC2 security group that you want to replace, prefixed with "launch-wizard":

aws ec2 describe-security-groups
  --region us-east-1
  --filters Name=group-name,Values='launch-wizard-3'

02 The command output should return the requested configuration information:

{
	"SecurityGroups": [
		{
			"Description": "launch-wizard-3 created 2020-12-22T10:30:00.000+00:00",
			"GroupName": "launch-wizard-3",
			"IpPermissions": [
				{
					"FromPort": 22,
					"IpProtocol": "tcp",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"ToPort": 22,
					"UserIdGroupPairs": []
				}
			],
			"OwnerId": "123456789012",
			"GroupId": "sg-01234abcd1234abcd",
			"IpPermissionsEgress": [
				{
					"IpProtocol": "-1",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"UserIdGroupPairs": []
				}
			],
			"VpcId": "vpc-abcdabcd"
		}
	]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up a new custom security group that will replace the one prefixed with "launch-wizard", described at the previous step:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-custom-security-group
  --description "Admin EC2 Security Group"
  --vpc-id vpc-abcdabcd

04 The command output should return the ID of the new, custom security group:

{
	"GroupId": "sg-0abcdabcdabcdabcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to transfer the inbound information from the non-compliant security group to the new (custom) security group. Run the authorize-security-group-ingress command as many times as needed and change the --protocol, --port and --cidr parameter values in order to create all the inbound/ingress rules defined for the non-compliant security group (if successful, the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --protocol tcp
  --port 22
  --cidr 10.0.0.5/32

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to transfer the outbound information from the non-compliant security group to the new, custom security group. Run the authorize-security-group-egress command as many times as needed and change the --ip-permissions parameter values in order to create all the outbound/egress rules defined for the non-compliant security group (the command does not produce an output):

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --ip-permissions '[{"IpProtocol": "-1", "FromPort": -1, "ToPort": -1, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run modify-instance-attribute command (OSX/Linux/UNIX) using the ID of the Amazon EC2 that you want to reconfigure as the identifier parameter, to replace the security group prefixed with "launch-wizard", with the custom one created at step no. 3. Make sure that you add any other compliant security groups, associated with the EC2 instance, to the --groups command parameter (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-0abcdabcdabcdabcd
  --groups sg-01234abcd1234abcd sg-0abcdabcdabcdabcd

08 Repeat steps no. 1 – 7 for each associated security group prefixed with "launch-wizard", available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Feb 2, 2017