Ensure that Amazon EC2 instances provisioned in your AWS cloud account are not associated with security groups that have their name prefixed with "launch-wizard", in order to enforce using secure and custom security groups that exercise the Principle of Least Privilege (POLP).
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When a new Amazon EC2 security group is created, its default name value will be prefixed with "launch-wizard", unless specified otherwise. The problem with this security group is that it comes with the default configuration which allows inbound/ingress traffic on port 22 from any source (i.e. 0.0.0.0/0). Because a lot of Amazon EC2 instances are launched using a security group like this, it can increase opportunities for malicious activities such as hacking, brute-force or Denial-of-Service (DoS) attacks.
Audit
To determine if there are Amazon EC2 instances associated with security groups prefixed with "launch-wizard", perform the following actions:
Remediation / Resolution
To follow AWS cloud security best practices, implement the Principle of Least Privilege (POLP) by replacing the associated security groups, prefixed with "launch-wizard", with custom security groups. To run the remediation process, perform the following operations:
References
- AWS Documentation
- Amazon EC2 security groups for Linux instances
- Control traffic to resources using security groups
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- create-security-group
- authorize-security-group-ingress
- authorize-security-group-egress
- modify-instance-attribute
- CloudFormation Documentation
- Amazon Elastic Compute Cloud resource type reference
- Terraform Documentation
- AWS Provider