Create and Configure App-Tier Security Group
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free TrialEnsure there is an EC2 security group created and configured for the app tier to grant inbound access from the app-tier ELB security group for explicit ports, in order to secure the access to the EC2 instances running within the tier. This conformity rule assumes that all AWS resources (including security groups) created within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
A security group works as a virtual firewall that controls the traffic for your EC2 instances. To protect the instances within your app tier from unauthorized access, a dedicated security group must be created and configured to secure access by adding inbound rules that allow traffic for specific application protocols and ports, by referencing as source the security group associated with the app-tier ELB.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
To determine if there is an AWS EC2 security group created and configured particularly for the app tier, perform the following:
01 Sign in to your Cloud Conformity console, access Create and Configure App-Tier Security Group conformity rule settings and copy the tag set defined for AWS resources available within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Sign in to the AWS Management Console.
03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
04 In the navigation panel, under NETWORK & SECURITY, click Security Groups.
05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering method will return only the EC2 security groups tagged for the app tier. If no results are returned, there are no security groups tagged within your app tier and the audit process ends here. If the EC2 dashboard lists one or more security groups, continue the audit with the next step.
06 Select the EC2 security group that you want to examine.
07 Select the Inbound tab from the dashboard bottom panel.
08 On the Inbound panel, check the Type, Protocol, Port Range and Source attributes for each available inbound rule. For compliance, the security group must allow inbound connections from the app-tier ELB security group for explicit ports such as 80 and 443, i.e.
If there are no rules that allow inbound traffic from the app-tier ELB security group on specific ports, the selected EC2 security group does not qualify as compliant app-tier security group.
09 Repeat steps no. 6 – 8 to check other EC2 security groups, provisioned in the selected region, for compliance.
10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.
01 Sign in to your Cloud Conformity console, access Create and Configure App-Tier Security Group conformity rule settings and copy the tag set defined for AWS resources available in your app tier (e.g. &app_tier_tag>:&app_tier_tag_value>).
02 Run describe-security-groups command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EC2 security groups available in the selected region:
aws ec2 describe-security-groups --region us-east-1 --output table --query 'SecurityGroups[*].GroupId'
03 The command output should return a table with the requested identifiers:
------------------------ |DescribeSecurityGroups| +----------------------+ | sg-aabbccdd | | sg-12345678 | | sg-1234abcd | +----------------------+
04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the security group that you want to examine as identifier and custom query filters to describe the tags defined for the selected EC2 resource:
aws ec2 describe-tags
--region us-east-1
--filters "Name=resource-id,Values=sg-aabbccdd"
--query 'Tags[*].{Value:Value, Key:Key}'
05 The command request should return one of the following outputs:
[]
[
{
"Value": "EnvType",
"Key": "Development"
}
]
[
{
"Key": "&app_tier_tag>",
"Value": "&app_tier_tag_value>"
}
]
06 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the EC2 security group that you want to examine as identifier and custom filtering to determine whether the selected security group is compliant or not. For compliance, the security group must allow inbound connections from the app-tier ELB security group for explicit ports such as 80 and 443:
aws ec2 describe-security-groups --region us-east-1 --group-ids sg-aabbccdd --query 'SecurityGroups[*].IpPermissions[]'
07 The command output should return the inbound rules associated with the selected security group:
[
{
"IpProtocol": "-1",
"PrefixListIds": [],
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
]
08 Repeat step no. 4 – 7 to verify other EC2 security groups, provisioned in the selected region, for compliance.
09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.
To create a compliant EC2 security group and configure it to allow inbound traffic from the app-tier ELB security group on explicit ports, perform the following actions:
01 Sign in to your Cloud Conformity console, access Create and Configure App-Tier Security Group conformity rule settings and copy the tag set configured for AWS resources available in your app tier (e.g. &app_tier_tag>:&app_tier_tag_value>).
02 Sign in to the AWS Management Console.
03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
04 In the navigation panel, under NETWORK & SECURITY, choose Security Groups.
05 To replace the existing security group with a compliant app-tier security group and assign it to your app-tier instance(s), you need to create and configure a new EC2 security group. To create the required app-tier security group, click Create Security Group button from the dashboard top menu.
06 Inside Create Security Group dialog box, perform the following:
07 Select the newly created resource and choose the Tags tab from the bottom panel.
08 On the Tags panel, click Add/Edit Tags button to add the tags that will help organize the identity of the new security group within the app tier.
09 In the Add/Edit Tags dialog box, click Create Tag button and use the following format when you define your own tag set: <app_tier_tag>:<app_tier_tag_value> and ensure that the tag name (<app_tier_tag>) and the tag value (<app_tier_tag_value>) match the tag set used to organize your app-tier resources, copied at step no. 1. Once your tags are defined, click Save to apply the changes.
10 Now that the compliant security group is created and configured it is safe to replace the source security group with the new one within the EC2 instance(s) network configuration. To replace the reference to the required resource, perform the following actions:
11 If required, change the AWS region from the navigation bar and repeat the entire process for other regions.
01 Sign in to your Cloud Conformity console, access Create and Configure App-Tier Security Group conformity rule settings and copy the tag set configured for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Run create-security-group command (OSX/Linux/UNIX) to set up the compliant EC2 security group and configure it to allow inbound traffic from the app-tier ELB security group on specific ports. The following command example creates a security group called "security-group-us-east-1-p-app-tier" (using appropriate naming conventions) inside a VPC identified with the ID vpc-1234abcd, available within US East region:
aws ec2 create-security-group --region us-east-1 --group-name security-group-us-east-1-p-app-tier --description "App-Tier EC2 Security Group" --vpc-id vpc-1234abcd
03 The command output should return the new security group ID:
{
"GroupId": "sg-abcdabcd"
}
04 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier to create the required inbound rule. The following command example creates a new inbound rule that allows inbound traffic from a app-tier ELB security group identified by the ID sg-abcdabcd, on specific port TCP 80 (HTTP), inside a security group identified by the ID sg-12345678, within US East region (the command does not produce an output):
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-abcdabcd --protocol tcp --port 80 --source-group sg-12345678
05 Run create-tags command (OSX/Linux/UNIX) using the ID of the newly created app-tier security group as identifier to create tags for managing the identity of the new resource. Use the following format when you define your own tag set: <app_tier_tag>:<app_tier_tag_value> and make sure the tag name (<app_tier_tag>) and the tag value (<app_tier_tag_value>) match the tag set used to organize your app-tier resources, copied at step no. 1. Replace <app_tier_tag> and <app_tier_tag_value> (highlighted) with your own values (the command does not produce an output):
aws ec2 create-tags
--region us-east-1
--resources sg-abcdabcd
--tags Key=<app_tier_tag>,Value=<app_tier_tag_value>
06 Run modify-instance-attribute command (OSX/Linux/UNIX) using the EC2 instance ID and the compliant app-tier security group ID as parameters to replace the existing security group (noncompliant) with the new one created at step no. 2 within the network configuration of the selected app-tier EC2 instance (if successful, the command does not produce an output):
aws ec2 modify-instance-attribute --region us-east-1 --instance-id i-12345678901234567 --groups sg-abcdabcd
07 Repeat step no. 6 to replace the necessary security group for other EC2 instances within the app tier.
08 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 7 to perform the remediation/resolution process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat