Ensure EC2 instances do not have security groups attached

Error: EC2 instances have security groups attached

Bridgecrew Policy ID: BC_AWS_NETWORKING_6
Severity: LOW

EC2 instances have security groups attached

Description

A security group acts as a virtual firewall for your EC2 instances, controlling incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups.

If you do not specify a security group, Amazon EC2 uses the default security group. By default, security groups allow all outbound traffic. You can add rules to each security group that allow traffic to or from its associated instancesEnsure EC2 Instances do Not Have Security Groups Attached. You can modify the rules for a security group at any time. New and modified rules are automatically applied to all instances that are associated with the security group. When Amazon EC2 decides whether to allow traffic to reach an instance, it evaluates all of the rules from all of the security groups that are associated with the instance.

Fix - Runtime

CLI Command

Review the Security Group and Network Interfaces
To review the security group and network interfaces, use the following command:

export REGION=<insert region here>
aws ec2 describe-security-groups 
--region $REGION 
--group-ids sg-#################

aws ec2 describe-network-interfaces 
--region $REGION 
--filters Name=group-id,Values=sg-#################

If the group is not assigned to a network interface, delete it. If it is assigned to a network interface and that interface is available, it could also be deleted as it is not attached.
To delete a security group, use the following command:

aws ec2 delete-security-group --region $REGION --group-id sg-#################

Delete all Unused Security Groups
If you would like to remove all unused security groups, first gather the list of security groups to delete. To gather a list of security groups, use the following command:

INUSE_ENI_SG=$(aws ec2 describe-network-interfaces 
--region $REGION 
--query 'NetworkInterfaces[?Status != `available`].Groups[*].GroupId' 
--output text | sort -u) SGS=$(aws ec2 describe-security-groups 
--region $REGION 
--query 'SecurityGroups[*].GroupId' --output text)

DELETESG=""
for sg in $SGS; do
  echo $INUSE_ENI_SG | grep $sg || DELETESG="$DELETESG $sg"
done
echo $DELETESG

Review the list of security groups. Validate they are not attached to elastic network interfaces. You should see [] for each interface name. If it is attached but the interface is available, it is not in use.
To review the list of security groups, use the following command:

for sg in $DELETESG; do
  aws ec2 describe-network-interfaces 
--region $REGION 
--filters Name=group-id,Values=$sg 
--query 'NetworkInterfaces[*].[NetworkInterfaceId, Status]'
done

To describe an individual interface (if needed), use the following command:

aws ec2 describe-network-interfaces 
--region $REGION 
--network-interface-id eni-#################

When you are ready to proceed, backup and delete the unused security group. To delete the unused security group, use the following command:

aws ec2 describe-security-groups --region $REGION --group-id $sg

for sg in $DELETESG; do
  aws ec2 describe-security-groups --region $REGION --group-id $sg > ${sg}.json
  aws ec2 delete-security-group --region $REGION --group-id $sg
done

Did this page help you?