More Info:

Your security groups should have descriptions associated with them to help you run your operations smoothly. It serves as a documentation and guidance in future.

Risk Level

Informational

Address

Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of security groups not having descriptions in AWS, you can follow the below steps:
  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 service.
  3. Click on the “Security Groups” option from the left-hand menu.
  4. Identify the security group(s) that do not have descriptions.
  5. Click on the checkbox next to the security group(s) to select it.
  6. Click on the “Actions” dropdown menu and select “Edit description”.
  7. Enter a meaningful description for the security group.
  8. Click on the “Save” button to save the description.
Repeat the above steps for all the security groups that do not have descriptions. It is recommended to have a clear and concise description for each security group, which can help in identifying the purpose of the security group and its associated resources.

To remediate the misconfiguration “Security Groups Should Have Descriptions” in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list all the security groups in your AWS account: 
aws ec2 describe-security-groups
  1. Identify the security group that does not have a description.
  2. Run the following command to update the description of the security group: 
aws ec2 update-security-group-rule-descriptions-ingress --group-id <security-group-id> --ip-permissions '[{"IpProtocol": "tcp", "FromPort": <port-number>, "ToPort": <port-number>, "IpRanges": [{"CidrIp": "<ip-address>/32", "Description": "<description>"}]}]'
Replace <security-group-id> with the ID of the security group that needs to be updated, <port-number> with the port number that needs to be opened, <ip-address> with the IP address that needs to be allowed, and <description> with the description of the security group.
  1. Run the following command to verify that the description has been updated:
aws ec2 describe-security-groups --group-ids <security-group-id>
The output should show the updated description for the security group.
  1. Repeat steps 3-5 for all the security groups that do not have descriptions.
To remediate the misconfiguration “Security Groups Should Have Descriptions” in AWS using Python, you can follow these steps:
  1. Import the necessary AWS SDK and libraries in your Python code.
  2. Use the describe_security_groups method of the AWS EC2 client to retrieve a list of all security groups in your AWS account.
  3. Loop through the list of security groups and check if each security group has a description.
  4. If a security group does not have a description, use the update_security_group_rule_descriptions_ingress method of the AWS EC2 client to add a description to the security group.
Here is the sample Python code to remediate the misconfiguration “Security Groups Should Have Descriptions” in AWS:
import boto3

# Create an EC2 client
ec2 = boto3.client('ec2')

# Retrieve a list of all security groups in your AWS account
response = ec2.describe_security_groups()

# Loop through the list of security groups and add a description if it doesn't exist
for group in response['SecurityGroups']:
    if not group['Description']:
        group_id = group['GroupId']
        ec2.update_security_group_rule_descriptions_ingress(
            GroupId=group_id,
            IpPermissions=[
                {
                    'FromPort': 0,
                    'IpProtocol': '-1',
                    'IpRanges': [],
                    'Ipv6Ranges': [],
                    'PrefixListIds': [],
                    'ToPort': 65535,
                    'UserIdGroupPairs': []
                },
            ],
            DryRun=False
        )
        print(f"Added description to security group {group_id}")
This code will loop through all the security groups in your AWS account and add a description to any security group that does not have one.

Additional Reading: