Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Security Group Rules Counts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-014

Determine if there is a large number of inbound and outbound rules defined for your Amazon EC2 security groups and reduce their number by removing any unnecessary or overlapping rules. To improve performance and efficiency, Trend Cloud One™ – Conformity recommends a default value of 50 for the maximum number of rules assigned to a security group, however this value is configurable and you can adjust the threshold based on your requirements.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

Defining a large number of rules for a security group can increase the latency and impact the performance of the AWS cloud resources associated with the security group.

Note: The threshold for the maximum number of inbound and outbound rules set for this conformity rule is 50 (recommended).


Audit

To determine if there are Amazon EC2 security groups with more than 50 inbound and outbound rules created within your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the EC2 security group that you want to examine.

05 Select the Inbound rules tab from the console bottom panel to access the inbound rules created for the selected group. Check the number of inbound rules listed in the top-left section of the panel, i.e. Inbound rules (<number-of-rules>).

06 Choose the Outbound rules tab from the console bottom panel to access the outbound rules created for the group. Check the number of outbound rules listed in the top-left section of the panel, i.e. Outbound rules (<number-of-rules>).

07 If the total number of inbound and outbound rules identified at steps no. 5 and 6 is greater than 50, the selected Amazon EC2 security group exceeds the recommended threshold for the number of defined rules, therefore you must take action and remove any unnecessary or overlapping inbound and outbound rules in order to restore the performance efficiency of the resource(s) associated with the selected security group.

08 Repeat steps no. 4 – 7 for each Amazon EC2 security group available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to list the identifiers (IDs) of all the Amazon EC2 security groups available in the selected AWS region:

aws ec2 describe-security-groups
  --region us-east-1
  --output table
  --query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested security group ID(s):

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
|  sg-0123412341234abcd  |
|  sg-0abcd123412341234  |
+------------------------+

03 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to examine as the identifier parameter and custom query filters to list all the inbound rules defined for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd
  --query 'SecurityGroups[*].IpPermissions[]'

04 The command output should return an array with the inbound rules defined for the selected group. Each JSON object (highlighted) returned by the describe-security-groups command output represents an inbound rule:

[
	{
		"PrefixListIds": [],
		"FromPort": 80,
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"ToPort": 80,
		"IpProtocol": "tcp",
		"UserIdGroupPairs": []
	},

	...


	{
		"PrefixListIds": [],
		"FromPort": 25,
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"ToPort": 25,
		"IpProtocol": "tcp",
		"UserIdGroupPairs": []
	}
]

05 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to examine as the identifier parameter, to list all the outbound rules configured for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd
  --query 'SecurityGroups[*].IpPermissionsEgress[]'

06 The command output should return an array with the outbound rules configured for the selected group. Each JSON object (highlighted) returned by the describe-security-groups command output represents an outbound rule:

[
	{
		"PrefixListIds": [],
		"FromPort": 80,
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"ToPort": 80,
		"IpProtocol": "tcp",
		"UserIdGroupPairs": []
	},

	...

	{
		"PrefixListIds": [],
		"FromPort": 25,
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"ToPort": 25,
		"IpProtocol": "tcp",
		"UserIdGroupPairs": []
	}      
]

07 If the total number of inbound and outbound rules identified at steps no. 4 and 6 is greater than 50, the selected Amazon EC2 security group exceeds the recommended threshold for the number of defined rules, therefore you must take action and remove any unnecessary or overlapping inbound and outbound rules in order to restore the performance efficiency of the resource(s) associated with the selected security group.

08 Repeat steps no. 3 – 7 for each Amazon EC2 security group available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To remove any unnecessary or overlapping inbound and outbound rules from your Amazon EC2 security groups, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Add descriptive text to EC2 security group inbound/outbound rules",
	"Resources":{
		"EC2EC2SecurityGroup" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"Properties" : {
				"GroupDescription" : "Admin EC2 Security Group",
				"GroupName" : "cc-ec2-security-group",
				"VpcId" : "vpc-1234abcd",
				"SecurityGroupIngress" : [{
					"Description" : "Admin (SSH) access from the Melbourne office",
					"IpProtocol" : "tcp",
					"FromPort" : 22,
					"ToPort" : 22,
					"CidrIp" : "10.0.0.5/32"
				}],
				"SecurityGroupEgress" : [{
					"Description" : "Allow all outgoing traffic",
					"IpProtocol" : "-1",
					"FromPort" : 0,
					"ToPort" : 65535,
					"CidrIp" : "0.0.0.0/0"
				}]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Add descriptive text to EC2 security group inbound/outbound rules
	Resources:
	EC2EC2SecurityGroup:
		Type: AWS::EC2::SecurityGroup
		Properties:
		GroupDescription: Admin EC2 Security Group
		GroupName: cc-ec2-security-group
		VpcId: vpc-1234abcd
		SecurityGroupIngress:
			- Description: Admin (SSH) access from the Melbourne office
			IpProtocol: tcp
			FromPort: 22
			ToPort: 22
			CidrIp: 10.0.0.5/32
		SecurityGroupEgress:
			- Description: Allow all outgoing traffic
			IpProtocol: '-1'
			FromPort: 0
			ToPort: 65535
			CidrIp: '0.0.0.0/0'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

# Add descriptive text to EC2 security group inbound/outbound rules
resource "aws_security_group" "custom-security-group" {
	name        = "cc-ec2-security-group"
	description = "Admin EC2 Security Group"
	vpc_id      = "vpc-1234abcd"

	ingress {
		description      = "Admin (SSH) access from the Melbourne office"
		from_port        = 22
		to_port          = 22
		protocol         = "tcp"
		cidr_blocks      = ["10.0.0.5/32"]
	}

	egress {
		description      = "Allow all outgoing traffic"
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the EC2 security group that you want to reconfigure and perform the following actions:

  1. Select the Inbound rules tab from the console bottom panel, click on the Edit inbound rules button, and choose Delete next to the inbound rule that you want to delete, to remove the unnecessary, obsolete, or overlapping rule from your security group. Choose Save rules to apply the configuration changes.
  2. Select the Outbound rules tab from the console bottom panel, click on the Edit outbound rules button, and choose Delete next to the outbound rule that you want to delete, to remove the unnecessary rule from your security group. Choose Save rules to apply the changes.

05 Repeat steps no. 4 for each security group that you want to reconfigure, available within the current AWS region.

06 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to reconfigure as the identifier parameter, to remove the unnecessary, obsolete, or overlapping inbound rule from the selected security group. If required, change the --protocol, --port, and --cidr parameters values to remove other unnecessary rules from the selected group:

aws ec2 revoke-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 25
  --cidr 0.0.0.0/0

02 The command output should return true if the request succeeds. Otherwise, it should return an error:

true

03 Run revoke-security-group-egress command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to reconfigure as the identifier parameter, to remove the unnecessary outbound rule from the selected security group. If required, change the --protocol, --port, and --cidr parameters values to remove other unnecessary or overlapping rules from the selected group:

aws ec2 revoke-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 25
  --cidr 0.0.0.0/0

04 The command output should return true if the request succeeds. Otherwise, it should return an error:

true

05 Repeat steps no. 1 – 4 for each security group that you want to reconfigure, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

References

Publication date Jun 19, 2016