Open menu
-->

Create and Configure Web-Tier Security Group

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure there is an EC2 security group created and configured for the web tier to allow inbound traffic directly from the web-tier ELB security group for the required ports, in order to secure the access to the EC2 instances. This conformity rule assumes that all AWS resources (including security groups) created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

A security group operates as a virtual firewall that controls the traffic for your EC2 instances. To protect the instances within your web tier from unauthorized access, an explicit security group must be created and configured to secure access by adding inbound rules that allow traffic for specific application protocols and ports, by referencing as source the security group associated with the web-tier load balancer. Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.

Audit

To determine if there is an AWS EC2 security group created and configured exclusively for the web tier, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create and Configure Web-Tier Security Group conformity rule settings and copy the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under NETWORK & SECURITY, click Security Groups.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. : <web_tier_tag_value>) and press Enter. This filtering method will return only the EC2 security groups tagged for the web tier. If no results are returned, there are no security groups tagged within your web tier and the audit process ends here. If the EC2 dashboard lists one or more security groups, continue the audit with the next step.

06 Select the EC2 security group that you want to examine.

07 Select the Inbound tab from the dashboard bottom panel.

08 On the Inbound panel, check the Type, Protocol, Port Range and Source attributes for each available inbound rule. For compliance, the security group must allow inbound connections from the web-tier ELB security group for explicit ports such as 80 and 443, i.e.

Type, Protocol, Port Range

If there are no rules that allow inbound traffic from the web-tier ELB security group on specific ports, the selected EC2 security group does not qualify as compliant web-tier security group.

09 Repeat steps no. 6 – 8 to check other EC2 security groups, provisioned in the selected region, for compliance.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create and Configure Web-Tier Security Group conformity rule settings and copy the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-security-groups command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EC2 security groups available in the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--output table
	--query 'SecurityGroups[*].GroupId'

03 The command output should return a table with the requested identifiers:

------------------------
|DescribeSecurityGroups|
+----------------------+
|     sg-abcd1234      |
|     sg-12345678      |
|     sg-1234abcd      |
|     sg-aabbccdd      |
+----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the security group that you want to examine as identifier and custom query filters to describe the tags defined for the selected EC2 resource:

aws ec2 describe-tags
	--region us-east-1
	--filters "Name=resource-id,Values=sg-abcd1234"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified security group is not tagged, therefore the audit process for the selected resource ends here:
    []
    
  2. If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified EC2 security group does not belong to your web tier, therefore the audit process for the selected resource ends here:
    [
        {
            "Value": "Access Type",
            "Key": "Web-Based"
        }
    ]
    
  3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified AWS EC2 security group is tagged as a web-tier resource, therefore the audit process continues with the next step:
    [
        {
            "Key": "<web_tier_tag>",
            "Value": "<web_tier_tag_value>"
        }
    ]
    

06 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the EC2 security group that you want to examine as identifier and custom filtering to determine whether the selected security group is compliant or not. For compliance, the security group must allow inbound connections from the web-tier ELB security group for explicit ports such as 80 and 443:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-abcd1234
	--query 'SecurityGroups[*].IpPermissions[]'

07 The command output should return the inbound rules associated with the selected security group:

[
    {
        "IpProtocol": "-1",
        "PrefixListIds": [],
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "UserIdGroupPairs": [],
        "Ipv6Ranges": []
    }
]

If there are no rules that allow inbound traffic from the web-tier ELB security group on specific ports, i.e. the "UserIdGroupPairs" attribute value does not contain the ID of another group (e.g. GroupId": "sg-1234abcd"), the selected EC2 security group does not qualify as compliant web-tier security group.

08 Repeat step no. 4 – 7 to verify other EC2 security groups, provisioned in the selected region, for compliance.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To create a compliant EC2 security group and configure it to allow inbound traffic from the web-tier ELB security group on explicit ports, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create and Configure Web-Tier Security Group conformity rule settings and copy the tag set configured for AWS resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under NETWORK & SECURITY, choose Security Groups.

05 To replace the existing security group with a compliant web-tier security group and assign it to your web-tier instance(s), you need to create and configure a new EC2 security group. To create the required web-tier security group, click Create Security Group button from the dashboard top menu.

06 Inside Create Security Group dialog box, perform the following:

  1. In the Security group name box, enter a name for your new web-tier security group. Use the naming conventions recommended for this type of AWS resource.
  2. In the Description box, provide a description to reflect the resource usage.
  3. From the VPC dropdown list, select the ID of the appropriate Virtual Private Cloud.
  4. Select the Inbound tab and click the Add Rule button to create a new inbound rule.
  5. To define the compliant inbound rule, provide the following information:
    • Select HTTP or HTTPS from the Type dropdown list, depending on your web-tier ELB configuration requirements.
    • In the Source section, select Custom and enter the ID of the appropriate web-tier ELB security group (e.g. sg-1234abcd).
    • Provide a short description for the newly added inbound rule within Description box.
  6. Click Create to deploy your new web-tier security group.

07 Select the newly created resource and choose the Tags tab from the bottom panel.

08 On the Tags panel, click Add/Edit Tags button to add the tags that will help organize the identity of the new security group within the web tier.

09 In the Add/Edit Tags dialog box, click Create Tag button and use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and ensure that the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier resources, copied at step no. 1. Once your tags are defined, click Save to apply the changes.

10 Now that the compliant security group is created and configured it is safe to replace the source security group with the new one within the EC2 instance(s) network configuration. To replace the reference to the required resource, perform the following actions:

  1. In the navigation panel, under INSTANCES section, choose Instances.
  2. Select the web-tier EC2 instance that you want to reconfigure.
  3. Click the Actions dropdown button from the dashboard top menu, select Networking and click Change Security Group.
  4. In the Change Security Groups dialog box, uncheck the security group that you want to replace, and check the one created at step no. 6.
  5. Click Assign Security Groups to apply the changes.
  6. Repeat steps b – e to replace the necessary security group for other EC2 instances within the web tier.

11 If required, change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create and Configure Web-Tier Security Group conformity rule settings and copy the tag set configured for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run create-security-group command (OSX/Linux/UNIX) to set up the compliant EC2 security group and configure it to allow inbound traffic from the web-tier ELB security group on specific ports. The following command example creates a security group called "security-group-us-east-1-p-web-tier" (using appropriate naming conventions) inside a VPC identified with the ID vpc-12345678, available within US East region:

aws ec2 create-security-group
	--region us-east-1
	--group-name security-group-us-east-1-p-web-tier
	--description "Web-Tier EC2 Security Group"
	--vpc-id vpc-12345678

03 The command output should return the new security group ID:

{
    "GroupId": "sg-aaaabbbb"
}

04 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier to create the required inbound rule. The following command example creates a new inbound rule that allows inbound traffic from a web-tier ELB security group identified by the ID sg-aabbccdd, on specific port TCP 80 (HTTP), inside a security group identified by the ID sg-aaaabbbb, within US East region (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-aaaabbbb
	--protocol tcp
	--port 80
	--source-group sg-aabbccdd

05 Run create-tags command (OSX/Linux/UNIX) using the ID of the newly created web-tier security group as identifier to create tags for managing the identity of the new resource. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier resources, copied at step no. 1. Replace <web_tier_tag> and <web_tier_tag_value> (highlighted) with your own values (the command does not produce an output):

aws ec2 create-tags
	--region us-east-1
	--resources sg-aaaabbbb
	--tags Key=<web_tier_tag>,Value=<web_tier_tag_value>

06 Run modify-instance-attribute command (OSX/Linux/UNIX) using the EC2 instance ID and the compliant web-tier security group ID as parameters to replace the existing security group (noncompliant) with the new one created at step no. 2 within the network configuration of the selected web-tier EC2 instance (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-12345678901234567
	--groups sg-aaaabbbb

07 Repeat step no. 6 to replace the necessary security group for other EC2 instances within the web tier.

08 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 7 to perform the remediation/resolution process for other regions.

References

Publication date Jul 6, 2018