Amazon EC2

Unused Security Groups

This plugin detects security groups unused for a duration longer than the configured threshold

Risk Level: Low

Description

This plugin detects security groups unused for a duration longer than the configured threshold. It is recommended to remove such unused security groups to follow best security practices.

Configuration Parameters

Time Threshold: This parameter specifies the limit as the continuous number of days the security group has not been in use. An issue will be generated if any security group is not being used for continuous these number of days.

By default, its value is set to 90 days. Therefore, a vulnerability alert will be created if the security group has not been in use for the past 90 days.

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

Impact

Unused Security Groups can create complexities in the cloud infrastructure. Moreover, it can add to the service limit and prevent resources from launching. Therefore, it is recommended to remove unused Security Groups.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Network Interfaces in the Network & Security section from the left navigation pane.
  4. A list of Network Interfaces in the region will appear. Select one by clicking on its ID.
  5. In the Details section, check the security group ID. This means that the security group is currently in use.
  6. Similarly, find all the security groups currently not in use.
  7. Repeat steps for all the Interfaces you want to investigate.

Steps for Remediation

Delete unused security groups:

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Security Groups in the Network & Security section from the left navigation pane.
  4. A list of Security Groups in the region will appear. Select the vulnerable group by clicking on the checkbox next to it.
  5. From the Actions menu, click on Delete security groups.
  6. Repeat steps for all the vulnerable Security Groups.