Ensure there is an EC2 security group created and configured for the web tier to allow inbound traffic directly from the web-tier ELB security group for the required ports, in order to secure the access to the EC2 instances. This conformity rule assumes that all AWS resources (including security groups) created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
A security group operates as a virtual firewall that controls the traffic for your EC2 instances. To protect the instances within your web tier from unauthorized access, an explicit security group must be created and configured to secure access by adding inbound rules that allow traffic for specific application protocols and ports, by referencing as source the security group associated with the web-tier load balancer.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if there is an AWS EC2 security group created and configured exclusively for the web tier, perform the following:
Remediation / Resolution
To create a compliant EC2 security group and configure it to allow inbound traffic from the web-tier ELB security group on explicit ports, perform the following actions:
- AWS Documentation
- Amazon EC2 FAQs
- Security Groups for Your VPC
- Amazon EC2 Security Groups for Linux Instances
- CIS Amazon Web Services Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Create and Configure Web-Tier Security Group
Risk level: Medium