Security group attached to eni remediation

Using Console

Using CLI

To remediate the misconfiguration “Non-Default Security Groups Should Be Attached To Elastic Network Interface” for AWS EC2 using AWS CLI, follow these steps:

List all the Elastic Network Interfaces (ENIs) in your AWS account:

aws ec2 describe-network-interfaces

Identify the ENI that is not attached to a non-default security group and note down its ID.
List all the security groups in your AWS account:

aws ec2 describe-security-groups

Identify the non-default security group that you want to attach to the ENI and note down its ID.
Attach the non-default security group to the ENI using the following command:

aws ec2 modify-network-interface-attribute --network-interface-id <ENI_ID> --groups <Security_Group_ID>

Replace <ENI_ID> with the ID of the ENI and <Security_Group_ID> with the ID of the non-default security group.

Verify that the non-default security group has been successfully attached to the ENI:

aws ec2 describe-network-interfaces --network-interface-ids <ENI_ID>

By following these steps, you can remediate the misconfiguration “Non-Default Security Groups Should Be Attached To Elastic Network Interface” for AWS EC2 using AWS CLI.

Using Python

To remediate the misconfiguration of non-default security groups not being attached to Elastic Network Interface (ENI) for AWS EC2 instances using Python, you can follow these steps:

Install and configure the AWS SDK for Python (Boto3) on your local machine. You can install it using pip:

pip install boto3

Write a Python script to identify EC2 instances with non-default security groups attached to their ENIs. Here’s a sample script that accomplishes this:

import boto3

# Initialize the EC2 client
ec2_client = boto3.client('ec2')

# Get a list of all EC2 instances
instances = ec2_client.describe_instances()

# Iterate through each instance
for reservation in instances['Reservations']:
    for instance in reservation['Instances']:
        instance_id = instance['InstanceId']
        
        # Get the list of security groups attached to the instance's ENIs
        enis = instance.get('NetworkInterfaces', [])
        for eni in enis:
            security_groups = eni.get('Groups', [])
            
            # Check if any non-default security groups are attached to the ENI
            for sg in security_groups:
                if 'default' not in sg['GroupName']:
                    print(f"Instance {instance_id} has a non-default security group attached to ENI {eni['NetworkInterfaceId']}")
                    
                    # You can add remediation steps here to attach the default security group to the ENI
                    # ec2_client.modify_network_interface_attribute(NetworkInterfaceId=eni['NetworkInterfaceId'], Groups=['default'])

Run the Python script to identify instances with non-default security groups attached to their ENIs. The script will print out the instance IDs and ENI IDs for instances with non-default security groups attached.
To remediate the misconfiguration, you can uncomment the remediation steps in the script to attach the default security group to the ENI. This can be done using the modify_network_interface_attribute method in Boto3.
Run the script again to apply the remediation steps and ensure that all instances have default security groups attached to their ENIs.

By following these steps, you can remediate the misconfiguration of non-default security groups not being attached to Elastic Network Interface (ENI) for AWS EC2 instances using Python and Boto3.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Security group attached to eni remediation

Triage and Remediation

Remediation