Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Launch Configuration Referencing Missing Security Groups

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (act today)
Rule ID: ASG-008

Ensure that your Amazon Auto Scaling Groups (ASGs) are configured with one or more active EC2 security Groups in order to maintain the auto-scaling process healthy.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Operational
excellence

When your Auto Scaling Groups (ASGs) fail to launch new Amazon EC2 instances due to inactive (deleted) security groups, the scaling mechanism is unable to add more compute resources in order to handle the traffic load, and this will cause a significant impact on your application performance, with the possibility of downtime.

Audit

To identify Amazon Auto Scaling Groups that are referencing inactive (deleted) security groups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Details tab to view the ASG resource configuration details.

06 In the Launch template section, copy the ID of each security group associated with the selected ASG resource from the Security group IDs.

07 In the main navigation panel, under Network & Security, choose Security Groups.

08 Paste the name of each security group copied at step no. 6 in the Filter security groups search box and press Enter. If no results are returned, the associated security groups are no longer available, therefore the selected Auto Scaling Group (ASG) is configured with a missing security group.

09 Repeat steps no. 4 – 8 for each ASG deployed within the selected AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) deployed in the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG name(s): 

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|   cc-production-asg     |
|   cc-internal-app-asg   |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to describe the launch template (and its version) associated with the Auto Scaling group (ASG) that you want to examine: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --query 'AutoScalingGroups[*].LaunchTemplate'

04 The command output should return the requested ASG information: 

[
	{
		"LaunchTemplateName": "cc-asg-launch-template",
		"Version": "2",
		"LaunchTemplateId": "lt-0abcd1234abcd1234"
	}
]

05 Run describe-launch-template-versions command (OSX/Linux/UNIX) to describe the ID(s) of the security group(s) used by the latest version of the ASG launch template: 

aws ec2 describe-launch-template-versions
  --region us-east-1
  --launch-template-id lt-0abcd1234abcd1234
  --versions 2
  --query 'LaunchTemplateVersions[*].LaunchTemplateData[].SecurityGroupIds[]'

06 The command output should return the requested security group ID(s): 

[
	"sg-01234abcd1234abcd"
]

07 Run describe-security-groups command (OSX/Linux/UNIX) using the group ID returned at the previous step as the identifier parameter, to describe the configuration information available for the specified security group: 

aws ec2 describe-security-groups
  --region us-east-1
  --group-names sg-01234abcd1234abcd

08 The command output should return the requested configuration information if the security group is still available or an error message otherwise: 

An error occurred (InvalidGroup.NotFound) when calling the DescribeSecurityGroups operation: The security group 'sg-01234abcd1234abcd' does not exist in default VPC 'vpc-0abcd1234abcd1234'

If the describe-security-groups command output returns an InvalidGroup.NotFound error, as shown in the output example above, the specified security group is no longer available, therefore the selected Amazon Auto Scaling Group (ASG) is configured with a missing security group.

09 Repeat steps no. 3 – 8 for each ASG available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To fix misconfigured Auto Scaling Groups (ASGs) that are missing security groups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to reconfigure.

05 Choose the Details tab to view the ASG resource configuration details.

06 In the Launch template section, choose Edit to modify the launch template configuration.

07 Under Version, choose Create a launch template version to create a new launch template version from the existing version.

08 On the Modify template (Create new version) configuration page, in the Network settings section, perform the following operations:

  1. Under Firewall (security groups), choose Create security group to set up a new security group.
  2. Provide a unique name for the new security group in the Security group name – required box.
  3. Provide a short description, to help you identify the security group, in the Description box.
  4. Use the Add security group rule button to add as many inbound rules as required.
  5. Once the new security group is configured, choose Create template version to save the new launch template version.

09 Navigate back to your ASG configuration page, use the Refresh button next to the Version dropdown list to load the new template version, and choose the launch template version created at the previous step. Choose Update to apply the configuration changes.

10 Repeat steps no. 4 – 9 for each ASG that you want to reconfigure, available within the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-security-group command (OSX/Linux/UNIX) to re-create the missing security group required by your Auto Scaling Group. Make sure that the new security group and the selected ASG share the same VPC network: 

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-asg-security-group
  --description "Security Group for AWS ASG"
  --vpc-id vpc-0abcd1234abcd1234

02 The command output should return the ID of the new security group: 

{
	"GroupId": "sg-01234abcd1234abcd"
}

03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the security group returned at the previous step as the identifier parameter, to create the necessary inbound rule, based on your application requirements: 

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

04 The command output should return the metadata available for the inbound rule: 

{
	"Return": true,
	"SecurityGroupRules": [
		{
			"SecurityGroupRuleId": "sgr-01234abcd1234abcd",
			"GroupId": "sg-01234abcd1234abcd",
			"GroupOwnerId": "123456789012",
			"IsEgress": false,
			"IpProtocol": "tcp",
			"FromPort": 80,
			"ToPort": 80,
			"CidrIpv4": "0.0.0.0/0"
		}
	]
}

05 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter to configure the necessary outbound rule, based on your application requirements: 

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

06 The command output should return the metadata available for the outbound rule: 

{
	"Return": true,
	"SecurityGroupRules": [
		{
			"SecurityGroupRuleId": "sgr-01234abcd1234abcd",
			"GroupId": "sg-01234abcd1234abcd",
			"GroupOwnerId": "123456789012",
			"IsEgress": true,
			"IpProtocol": "tcp",
			"FromPort": 80,
			"ToPort": 80,
			"CidrIpv4": "0.0.0.0/0"
		}
	]
}

07 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to get the ID of the launch template associated with the Auto Scaling group (ASG) that you want to reconfigure: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --query 'AutoScalingGroups[*].LaunchTemplate[].LaunchTemplateId'

08 The command output should return the requested ASG information: 

[
	"lt-0abcd1234abcd1234"
]

09 Run create-launch-template-version command (OSX/Linux/UNIX) using the ID of the ASG launch template described at the previous step as the identifier parameter, to create a new version for the selected launch template. The --source-version parameter value represents the version number of the launch template on which to base the new version. The new version inherits the same launch parameters as the source version, except for parameters that you specify for --launch-template-data. Use the ID of the new security group for the "SecurityGroupIds" command parameter: 

aws ec2 create-launch-template-version
  --region us-east-1
  --launch-template-id lt-0abcd1234abcd1234
  --source-version 3
  --launch-template-data '{"SecurityGroupIds":["sg-01234abcd1234abcd"]}'

10 The command output should return the information available for the new template version: 

{
	"LaunchTemplateVersion": {
		"LaunchTemplateId": "lt-0abcd1234abcd1234",
		"LaunchTemplateName": "cc-asg-launch-template",
		"VersionNumber": 3,
		"LaunchTemplateData": {
			"SecurityGroupIds": [
				"sg-01234abcd1234abcd"
			]
		},
		"CreateTime": "2022-09-12T11:00:00.000Z"
	}
}

11 Run update-auto-scaling-group command (OSX/Linux/UNIX) to apply the new launch template configuration to your Auto Scaling Group (ASG) in order to replace the missing security group with the new, compliant security group (the command does not produce an output):
IMPORTANT: The following reconfiguration process can impact application availability. Ensure that the selected Auto Scaling Group is NOT currently used in production or for critical operations. 

aws autoscaling update-auto-scaling-group
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --launch-template LaunchTemplateId=lt-0abcd1234abcd1234,Version=3

12 Repeat steps no. 1 – 11 for each ASG that you want to reconfigure, available in the selected AWS region.

13 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Feb 6, 2017

Related AutoScaling rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Launch Configuration Referencing Missing Security Groups

Risk Level: High