More Info:

Your AWS account should not have excessive number of security groups per region.

Risk Level

Medium

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Excessive counts in Security Groups could indicate that there are too many rules in a single Security Group, which can lead to security risks and complexity in managing the rules. To remediate this issue in AWS using the AWS console, follow these steps:
  1. Log in to the AWS Management Console and navigate to the EC2 dashboard.
  2. Select the Security Group that has excessive counts.
  3. Click on the “Edit inbound rules” button to modify the rules.
  4. Review the rules and identify any redundant or unnecessary rules.
  5. Remove any redundant or unnecessary rules by clicking on the “X” button next to each rule.
  6. Consolidate similar rules by combining them into a single rule.
  7. Click on the “Save rules” button to save the changes.
By following these steps, you should be able to remediate the excessive counts in the Security Group and reduce the risk of security breaches.

The Security Group Excessive Counts issue occurs when a security group has too many rules, which can lead to performance issues and make it difficult to manage the security group. To remediate this issue in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your computer.
  2. Use the following command to list all the security groups in your AWS account: 
aws ec2 describe-security-groups
  1. Identify the security group that has too many rules.
  2. Use the following command to get the details of the security group: 
aws ec2 describe-security-groups --group-ids <security-group-id>
  1. Review the rules and identify any rules that are not necessary or duplicates.
  2. Use the following command to delete the unnecessary rules: 
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --ip-permissions <ip-permissions>
  1. Replace <security-group-id> with the ID of the security group that has too many rules.
  2. Replace <ip-permissions> with the IP permissions of the rule that you want to delete. You can get the IP permissions from the output of the previous command.
  3. Repeat steps 6 to 8 for all the unnecessary rules.
  4. Use the following command to confirm that the rules have been deleted: 
aws ec2 describe-security-groups --group-ids <security-group-id>
  1. Verify that the security group no longer has excessive counts.
Note: Make sure to test the security group after making changes to ensure that it is still functioning as expected.
To remediate Security Group Excessive Counts in AWS using python, you can follow these steps:
  1. Identify the security groups with excessive counts by using the describe_security_groups method from the boto3 library in python. This method will return a list of all the security groups in your AWS account. You can then iterate through this list to identify the security groups with excessive counts.
  2. Once you have identified the security groups with excessive counts, you can use the revoke_ingress method to remove unnecessary inbound rules. This method takes in the GroupId parameter to identify the security group and the IpPermissions parameter to specify the inbound rules to be removed.
  3. After removing the unnecessary inbound rules, you can use the authorize_ingress method to add the necessary inbound rules. This method takes in the GroupId parameter to identify the security group and the IpPermissions parameter to specify the inbound rules to be added.
Here’s a sample code snippet that you can use as a starting point:
import boto3

# Create an EC2 client
ec2 = boto3.client('ec2')

# Get all security groups
security_groups = ec2.describe_security_groups()

# Iterate through security groups
for sg in security_groups['SecurityGroups']:
    # Check if security group has excessive counts
    if len(sg['IpPermissions']) > 50:
        # Remove unnecessary inbound rules
        ec2.revoke_ingress(
            GroupId=sg['GroupId'],
            IpPermissions=sg['IpPermissions']
        )
        # Add necessary inbound rules
        ec2.authorize_ingress(
            GroupId=sg['GroupId'],
            IpPermissions=[
                {
                    'IpProtocol': 'tcp',
                    'FromPort': 22,
                    'ToPort': 22,
                    'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
                },
                {
                    'IpProtocol': 'tcp',
                    'FromPort': 80,
                    'ToPort': 80,
                    'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
                }
            ]
        )
In this example, we are checking if a security group has more than 50 inbound rules and removing all the inbound rules using the revoke_ingress method. We are then adding two necessary inbound rules for SSH and HTTP using the authorize_ingress method. You can modify the code to suit your specific requirements.

Additional Reading: