AWS Auto Scaling

Launch Configuration Referencing Inactive Security Groups

This plugin ensures that AWS Auto Scaling launch configurations are not utilizing removed security groups.

Risk Level: Medium

Description

This plugin ensures that AWS Auto Scaling launch configurations are not utilizing removed security groups. Security groups attached with Auto Scaling launch configurations ensure the security of the associated instances. It declares the inbound rules mentioning the IP addresses that can access the instances with the specified ports/protocols.

About the Service

AWS Auto Scaling: As the name suggests, AWS AutoScaling monitors the running resources and if required, increases the scaling capability at the lowest possible costs. AutoScaling is easy to set up and automatically maintains performance of your cloud infrastructure.

Impact

Security Groups act as a firewall for the EC2 instances to control the incoming and outgoing traffic. There are rules defined under security groups that can allow specific IP addresses to access the EC2 instance with the protocol and the Ports specified. If the groups are missing, there can be unrestricted access to the instances generated by the Auto Scaling Groups. Unrestricted access to the instances created might result in data loss and data breaches. It is highly recommended to secure instances with active security groups.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Launch Configurations under the Auto Scaling section from the left pane.
  4. A list of Launch Configurations will be displayed, select the one you want to investigate by clicking on the checkbox next to its Name.
  5. Verify if all the security groups attached are active by clicking on the security group links in the Security Groups section.
  6. If the link redirects to the “The security group does not exist” page, the clicked security group is inactive. 
  7. Repeat steps 3 to 6 for all the Auto Scaling launch configurations you want to investigate.

Steps for Remediation

Create a new launch configuration with active security groups and replace the usage of vulnerable launch configurations with new one.

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Launch Configurations under the Auto Scaling section from the left pane.
  4. A list of Launch Configurations will be displayed, select the one you want to investigate by clicking on the checkbox next to its Name. Next, click on Copy launch configuration in the Details section.
  5. Type a new name for the configuration. In the Security groups section, choose one from the list of active security groups. 
  6. Click on Create launch configuration when done.
  7. Delete the vulnerable security group by clicking on the checkbox next to its Name and from the Actions menu at the top, click on Delete Launch Configuration
  8. Replace all the references of the vulnerable launch configuration with the newly created launch configuration.
  9. Repeat steps 3 to 8 for all the vulnerable Auto Scaling launch configurations.