AWS Security Groups
About
Monitor Security groups for best practices
Operational Maturity
Unused Virtual Private Gateways
Remove unused Amazon Virtual Private Gateways in order to adhere to best practices and to avoid reaching the service limit.
Security
Enable Flow Logs on VPC
VPC flow logs record all traffic flowing in to and out of a VPC. These logs are critical for auditing and review after security incidents.
Flow Logs Enabled on Subnet
Subnet flow logs record all traffic flowing in to and out of a Subnet. These logs are critical for auditing and review after security incidents.
Unused network ACLs
Maintaining unused resources increases risks of misconfigurations and increases the difficulty of audits.
Unused Security Groups
Non-default security groups were defined which were unused and may not be required. This being the case, their existence in the configuration increases the risk that they may be inappropriately assigned. The unused security groups should be reviewed and removed if no longer required.
Default Security Group
Ensure the default security groups block all traffic by default. EC2 instances should not be associated with default security groups.
Default Security Group in use and it allows public access
Ensure the default security groups block all traffic by default. EC2 instances should not be associated with default security groups with public access.
EC2 with Multiple Security Groups
Determine if there are an excessive number of security groups in the account. AWS applies the most permissive rule amongst all the Security Groups assigned to any EC2 instance.
Publicly accessible EC2 instances
Ensure that unknown EC2 instances are not publicly accessible. It is good practice to maintain a list of known, publicly accessible instances and flag all other instances that meet this criteria.
All EC2 instance ports open for external traffic
Determine if security group has all ports or protocols open to the public. Security groups should be created on a per-service basis and avoid allowing all ports or protocols.
All EC2 instance ports open for internal traffic
Determine if security group has all ports or protocols open to the internal traffic. Security groups should be created on a per-service basis and avoid allowing all ports or protocols even for internal access.
EC2 instance with open ICMP ports
Ensure that ICMP ports are not open for EC2 instances.
RDS is Publicly Accessible
Ensures RDS instances are not launched into the public cloud. Unless there is a specific business requirement, RDS instances should not have a public endpoint and should be accessed from within a VPC only.
Redshift is Publicly Accessible
Ensures Redshift clusters are not launched into the public cloud. Unless there is a specific business requirement, Redshift clusters should not have a public endpoint and should be accessed from within a VPC only.
Sources
https://www.cloudanix.com/recipelist/aws/sgaudit
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-ping
https://docs.aws.amazon.com/redshift/latest/mgmt/getting-started-cluster-in-vpc.html
https://docs.aws.amazon.com/redshift/latest/mgmt/getting-started-cluster-in-vpc.html
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out
this form.
