Open menu
-->

Security Groups Prefixed with "launch-wizard" In Use

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Low (generally tolerable level of risk)

Ensure that EC2 instances provisioned in your AWS account are not associated with security groups that have their name prefixed with "launch-wizard", in order to enforce using secure and custom security groups that exercise the principle of least privilege.

This rule resolution is part of the Cloud Conformity Security Package

When a new security group is created, its default name value will be prefixed with "launch-wizard", unless specified otherwise. The problem with this security group is that it comes with the default configuration which allows inbound/ingress traffic on port 22 from any source (i.e. 0.0.0.0/0). Because a lot of EC2 instances are launched using a security group like this, it can increase opportunities for malicious activity such as hacking, brute-force attacks or even Denial-of-Service (DoS) attacks.

Audit

To determine if you have any EC2 instances associated with security groups prefixed with "launch-wizard", perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 On the EC2 Instances page, click inside the attributes filter box:

attributes filter box

choose Security Group Name from the dropdown list and type launch-wizard for the attribute value. This filtering technique will help you to detect all the EC2 instances that are currently associated with security groups prefixed with "launch-wizard", in the current AWS region. If the filtering process returns one or more EC2 instances, there are security groups prefixed with "launch-wizard" in use within the selected region, therefore the specified instances are using security groups that are possibly unconfigured and insecure.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of the EC2 instances that are currently associated with security groups prefixed with "launch-wizard", available in the selected AWS region:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance.group-name,Values=launch-wizard-*"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return an empty table if there are no security groups prefixed with "launch-wizard" attached to EC2 instances or a table populated with instance IDs if security groups prefixed with "launch-wizard" are currently attached to EC2 instances, as shown in the following example:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-057995a269d8ce429  |
|  i-0cad2570c80fdbea1  |
+-----------------------+

If the command output returns one or more instance IDs, there are security groups prefixed with "launch-wizard" in use in the selected region, therefore the specified EC2 instances are using security groups that are possibly not configured and insecure.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To adhere to the principle of least privilege and replace the associated security groups, prefixed with "launch-wizard", with secure and well-configured security groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY, choose Security Groups.

04 Select the security group that you want to re-create (see Audit section part I to identify the right EC2 resource).

05 To replace the security groups prefixed with "launch-wizard" and assigned to your instance(s), create and configure a new EC2 security group and transfer any existing inbound/outbound rules to it. To create the necessary security group, perform the following actions:

  1. Click the Actions dropdown button from the dashboard top menu and select Copy to new.
  2. In the Create Security Group dialog box, provide the following details:
    • In the Security group name box, enter a name for your new custom security group. Use the naming conventions recommended for EC2 security groups.
    • In the Description box, provide a description to reflect the security group usage.
    • From the VPC dropdown list, select the appropriate VPC ID.
    • Inside the Inbound tab, review and configure the inbound rules copied automatically from the source security group, prefixed with "launch-wizard".
    • Inside the Outbound tab, review and configure the outbound rules copied automatically from the source security group.
    • Click Create button to create the new EC2 security group.

06 Now that the inbound and outbound rules are well-configured it is safe to replace the source security group with the new one within the EC2 instance(s) network configuration. To replace the security group prefixed with "launch-wizard", perform the following actions:

  1. In the navigation panel, under INSTANCES section, choose Instances.
  2. Select the EC2 instance that you want to reconfigure (see Audit section part I to identify the appropriate instances).
  3. Click the Actions dropdown button from the dashboard top menu, select Networking and click Change Security Group.
  4. In the Change Security Groups dialog box, uncheck the security group that you want to replace, prefixed with "launch-wizard", and check the newly created one.
  5. Click Assign Security Groups to apply the changes.
  6. Repeat steps b – e to replace the necessary security group(s) for other EC2 instances available in the current region.

07 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) to list the inbound and outbound rules for the security group that you want to replace, prefixed with "launch-wizard", available within the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--group-name "launch-wizard-1"

02 The command output should return the requested rules information (metadata):

{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "PrefixListIds": [],
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "UserIdGroupPairs": [],
                    "Ipv6Ranges": []
                }
            ],
            "Description": "launch-wizard-1 created 2018-01-12T14:13:54.719+02:00",
            "IpPermissions": [
                {
                    "PrefixListIds": [],
                    "FromPort": 22,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 22,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": [],
                    "Ipv6Ranges": []
                }
            ],
            "GroupName": "launch-wizard-1",
            "VpcId": "vpc-12345678",
            "OwnerId": "123456789012",
            "GroupId": "sg-abcd1234"
        }
    ]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up a new security group that will replace the one prefixed with "launch-wizard". The following command example creates a security group called "security-group-us-east-1-p-nginx" (using appropriate naming conventions) inside a VPC identified with the ID vpc-12345678, available within US East region:

aws ec2 create-security-group
	--region us-east-1
	--group-name security-group-us-east-1-p-nginx
	--description "Nginx Web Server Security Group"
	--vpc-id vpc-12345678

04 The command output should return the new security group ID:

{
    "GroupId": "sg-1234abcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier, to transfer the inbound information from the source security group to the newly created security group. If required, run the command as many times as needed by changing accordingly the --protocol, --port and --cidr parameter values in order to create all the ingress rules defined within the source security group (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-1234abcd
	--protocol tcp
	--port 22
	--cidr 172.31.50.120/32

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the new security group as identifier to transfer the outbound information from the security group prefixed with "launch-wizard" to the newly created one. If required, run the command as many times as needed by changing accordingly the --ip-permissions parameter value in order to create all the egress rules defined within the source security group (the command does not produce an output):

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-1234abcd
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run modify-instance-attribute command (OSX/Linux/UNIX) using the EC2 instance ID and the new security group ID as parameters to replace the security group prefixed with "launch-wizard" (possibly unconfigured and insecure) with the well-configured one created at step no. 3 within the network configuration of the selected EC2 instance (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-057995a269d8ce429
	--groups sg-1234abcd

08 Repeat steps no. 3 - 7 to replace the necessary security group(s) for other EC2 instances available in the current region

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the remediation/resolution process for other regions.

References

Publication date Feb 2, 2017