Open menu
-->

Descriptions for Security Group Rules

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security
Operational
excellence

Risk level: Low (generally tolerable level of risk)

Ensure that all the rules defined for your Amazon EC2 security groups have a description to help simplify your operations and remove any opportunities for operator errors. Adding descriptive text for security group rules will allow you to store locally useful information without the need to keep any documentation external and separated from the EC2 service. The information provided as description can be used for multiple purposes such as EC2/application firewall auditing, security group rules management, third-party auditing, etc. A rule description can be up to 255 characters long and can be defined and viewed from the AWS Management Console, AWS Command Line Interface (CLI) and using the AWS API.

With security group rules descriptions, you simply gain more insight into the configuration of your firewall(s). You can define the purpose of the rule and the identity of the IP address next to the rule entry so it can be used for security group management (e.g. update source/destination IP addresses, remove obsolete rules, etc) and auditing (internal and external, compliance and forensic audits). As an admin, you must know who has access (and why) to your instances and your applications without the need for asking for the required details all the time. Rule descriptions should be visible to AWS Support as well, this could help resolve your EC2 related issues more quickly.

Audit

To determine if your EC2 security groups implement descriptive text for the existing rules, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 On the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group that you want to examine.

05 Select the Inbound/Outbound tab from the dashboard bottom panel.

06 Verify the fields within Description column for any existing inbound/outbound rule description defined. If there are inbound/outbound rules without any descriptions assigned, the selected EC2 security group does not have descriptions defined for all existing rules, therefore does not adhere to security and operational excellence best practices.

07 Repeat steps no. 4 – 6 to verify other EC2 security groups for descriptive text assigned to inbound/outbound rules, available in the selected region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EC2 security groups currently available in the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--output table
	--query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested IDs:

------------------------
|DescribeSecurityGroups|
+----------------------+
|  sg-13e12560         |
|  sg-17800a64         |
|  sg-27491954         |
|                      |
|  ...                 |
|                      |
|  sg-b8084fcb         |
|  sg-d81cd9ab         |
|  sg-e5edbd96         |
+----------------------+

03 Run the describe-security-groups command (OSX/Linux/UNIX) again, using custom filtering to expose the current configuration of the inbound and outbound rule(s) defined within the selected security group:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-13e12560
	--query 'SecurityGroups[*].[IpPermissions,IpPermissionsEgress]'

04 The command output should return the requested configuration details:

[
    [
        [
            {
                "PrefixListIds": [],
                "FromPort": 80,
                "IpRanges": [
                    {
                        "Description": "",
                        "CidrIp": "0.0.0.0/0"
                    }
                ],
                "ToPort": 80,
                "IpProtocol": "tcp",
                "UserIdGroupPairs": [],
                "Ipv6Ranges": []
            },
            {
                "PrefixListIds": [],
                "FromPort": 22,
                "IpRanges": [
                    {
                        "Description": "",
                        "CidrIp": "122.112.122.122/32"
                    }
                ],
				"ToPort": 22,
                "IpProtocol": "tcp",
                "UserIdGroupPairs": [],
                "Ipv6Ranges": []
            }
        ],
        [
            {
                "IpProtocol": "-1",
                "PrefixListIds": [],
                "IpRanges": [
                    {
                        "Description": "",
                        "CidrIp": "0.0.0.0/0"
                    }
                ],
                "UserIdGroupPairs": [],
                "Ipv6Ranges": []
            }
        ]
    ]
]

Verify the text returned as value for the Description attribute assigned to each existing inbound/outbound rule defined. If the Description attribute does not hold any value (text), as shown in the example above, the selected EC2 security group does not have descriptions defined for the existing rules, therefore does not adhere to security and operational excellence best practices:

05 Repeat step no. 3 and 4 to verify other EC2 security groups for descriptive text assigned to inbound/outbound rules, available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To add descriptive text to the rules within your existing EC2 security groups for organization and documentation, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under the NETWORK & SECURITY section, choose Security Groups.

04 Select the security group that you want to examine.

05 Select the Inbound/Outbound tab from the bottom panel of the dashboard and click Edit to update the necessary ingress/egress rules.

06 Within the Edit inbound/outbound rules dialog box, provide a descriptive text, e.g. "Admin access from Melbourne office", for each existing rule in the Description field available next to the rule configuration. The rule description can be up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces and ._-:/()#,@[]+=;{}!$*.

07 Click Save to apply the changes and return to the EC2 dashboard.

08 Repeat steps no. 4 – 7 to add inbound/outbound rule descriptions to other EC2 security groups available in the selected region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run the update-security-group-rule-descriptions-ingress command (OSX/Linux/UNIX) using the ID of the security group that you want to update (see Audit section part II to identify the right resource), to update the description of an ingress (inbound) security group rule. With the update-security-group-rule-descriptions-ingress command you can replace an existing description or add a description to a rule that did not have one previously (current case) by defining it as part of the IP permissions structure:

aws ec2 update-security-group-rule-descriptions-ingress
	--region us-east-1
	--group-id sg-13e12560
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "122.112.122.122/32", "Description": "Admin access from Melbourne office."}]}]'

02 The command output should return true if the request succeeds, otherwise it should return an error:

true

03 Now execute update-security-group-rule-descriptions-egress command (OSX/Linux/UNIX) using the ID of the EC2 security group that you want to update, to add descriptions to the existing egress (outbound) rules. With update-security-group-rule-descriptions-egress command you can replace an existing description or add a description to a rule that did not have one previously:

aws ec2 update-security-group-rule-descriptions-egress
	--region us-east-1
	--group-id sg-13e12560
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0", "Description": "Outbound HTTP access to everyone."}]}]'

04 The command output should return true if the request succeeds, otherwise it should return an error:

true

05 Repeat steps no. 1 – 4 to add/update rule descriptions for the rest of the EC2 security groups available within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

References

Publication date Oct 17, 2017