Create and Configure App-Tier Security Group

Risk level: Medium (should be achieved)

Ensure there is an EC2 security group created and configured for the app tier to grant inbound access from the app-tier ELB security group for explicit ports, in order to secure the access to the EC2 instances running within the tier. This conformity rule assumes that all AWS resources (including security groups) created within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

Security

A security group works as a virtual firewall that controls the traffic for your EC2 instances. To protect the instances within your app tier from unauthorized access, a dedicated security group must be created and configured to secure access by adding inbound rules that allow traffic for specific application protocols and ports, by referencing as source the security group associated with the app-tier ELB.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To determine if there is an AWS EC2 security group created and configured particularly for the app tier, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create and Configure App-Tier Security Group conformity rule settings and copy the tag set defined for AWS resources available within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under NETWORK & SECURITY, click Security Groups.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering method will return only the EC2 security groups tagged for the app tier. If no results are returned, there are no security groups tagged within your app tier and the audit process ends here. If the EC2 dashboard lists one or more security groups, continue the audit with the next step.

06 Select the EC2 security group that you want to examine.

07 Select the Inbound tab from the dashboard bottom panel.

08 On the Inbound panel, check the Type, Protocol, Port Range and Source attributes for each available inbound rule. For compliance, the security group must allow inbound connections from the app-tier ELB security group for explicit ports such as 80 and 443, i.e.

If there are no rules that allow inbound traffic from the app-tier ELB security group on specific ports, the selected EC2 security group does not qualify as compliant app-tier security group.

09 Repeat steps no. 6 – 8 to check other EC2 security groups, provisioned in the selected region, for compliance.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create and Configure App-Tier Security Group conformity rule settings and copy the tag set defined for AWS resources available in your app tier (e.g. &app_tier_tag>:&app_tier_tag_value>).

02 Run describe-security-groups command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EC2 security groups available in the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--output table
	--query 'SecurityGroups[*].GroupId'

03 The command output should return a table with the requested identifiers:

------------------------
|DescribeSecurityGroups|
+----------------------+
|     sg-aabbccdd      |
|     sg-12345678      |
|     sg-1234abcd      |
+----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the security group that you want to examine as identifier and custom query filters to describe the tags defined for the selected EC2 resource:

aws ec2 describe-tags
	--region us-east-1
	--filters "Name=resource-id,Values=sg-aabbccdd"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified security group is not tagged, therefore the audit process for the selected resource ends here:
```
[]
```
If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified EC2 security group does not belong to your app tier, therefore the audit process for the selected resource ends here:
```
[
    {
        "Value": "EnvType",
        "Key": "Development"
    }
]
```
If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. &app_tier_tag>:&app_tier_tag_value>), as shown in the example below, the verified AWS EC2 security group is tagged as a app-tier resource, therefore the audit process continues with the next step:
```
[
    {
        "Key": "&app_tier_tag>",
        "Value": "&app_tier_tag_value>"
    }
]
```

06 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the EC2 security group that you want to examine as identifier and custom filtering to determine whether the selected security group is compliant or not. For compliance, the security group must allow inbound connections from the app-tier ELB security group for explicit ports such as 80 and 443:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-aabbccdd
	--query 'SecurityGroups[*].IpPermissions[]'

07 The command output should return the inbound rules associated with the selected security group:

[
    {
        "IpProtocol": "-1",
        "PrefixListIds": [],
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "UserIdGroupPairs": [],
        "Ipv6Ranges": []
    }
]

If there are no rules that allow inbound traffic from the app-tier ELB security group on specific ports, i.e. the "UserIdGroupPairs" attribute value does not contain the ID of another group (e.g. GroupId": "sg-12345678"), the selected EC2 security group does not qualify as compliant app-tier security group.

08 Repeat step no. 4 – 7 to verify other EC2 security groups, provisioned in the selected region, for compliance.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To create a compliant EC2 security group and configure it to allow inbound traffic from the app-tier ELB security group on explicit ports, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create and Configure App-Tier Security Group conformity rule settings and copy the tag set configured for AWS resources available in your app tier (e.g. &app_tier_tag>:&app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under NETWORK & SECURITY, choose Security Groups.

05 To replace the existing security group with a compliant app-tier security group and assign it to your app-tier instance(s), you need to create and configure a new EC2 security group. To create the required app-tier security group, click Create Security Group button from the dashboard top menu.

06 Inside Create Security Group dialog box, perform the following:

In the Security group name box, enter a name for your new app-tier security group. Use the naming conventions recommended for this type of AWS resource.
In the Description box, provide a description to reflect the resource usage.
From the VPC dropdown list, select the ID of the appropriate Virtual Private Cloud.
Select the Inbound tab and click the Add Rule button to create a new inbound rule.
To define the compliant inbound rule, provide the following information:
- Select HTTP or HTTPS from the Type dropdown list, depending on your app-tier ELB configuration requirements.
- In the Source section, select Custom and enter the ID of the appropriate app-tier ELB security group (e.g. sg-12345678).
- Provide a short description for the newly added inbound rule within Description box.
Click Create to deploy your new app-tier security group.

07 Select the newly created resource and choose the Tags tab from the bottom panel.

08 On the Tags panel, click Add/Edit Tags button to add the tags that will help organize the identity of the new security group within the app tier.

09 In the Add/Edit Tags dialog box, click Create Tag button and use the following format when you define your own tag set: <app_tier_tag>:<app_tier_tag_value> and ensure that the tag name (<app_tier_tag>) and the tag value (<app_tier_tag_value>) match the tag set used to organize your app-tier resources, copied at step no. 1. Once your tags are defined, click Save to apply the changes.

10 Now that the compliant security group is created and configured it is safe to replace the source security group with the new one within the EC2 instance(s) network configuration. To replace the reference to the required resource, perform the following actions:

In the navigation panel, under INSTANCES section, choose Instances.
Select the app-tier EC2 instance that you want to reconfigure.
Click the Actions dropdown button from the dashboard top menu, select Networking and click Change Security Group.
In the Change Security Groups dialog box, uncheck the security group that you want to replace, and check the one created at step no. 6.
Click Assign Security Groups to apply the changes.
Repeat steps b – e to replace the necessary security group for other EC2 instances within the app tier.

11 If required, change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create and Configure App-Tier Security Group conformity rule settings and copy the tag set configured for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run create-security-group command (OSX/Linux/UNIX) to set up the compliant EC2 security group and configure it to allow inbound traffic from the app-tier ELB security group on specific ports. The following command example creates a security group called "security-group-us-east-1-p-app-tier" (using appropriate naming conventions) inside a VPC identified with the ID vpc-1234abcd, available within US East region:

aws ec2 create-security-group
	--region us-east-1
	--group-name security-group-us-east-1-p-app-tier
	--description "App-Tier EC2 Security Group"
	--vpc-id vpc-1234abcd

03 The command output should return the new security group ID:

{
    "GroupId": "sg-abcdabcd"
}

04 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier to create the required inbound rule. The following command example creates a new inbound rule that allows inbound traffic from a app-tier ELB security group identified by the ID sg-abcdabcd, on specific port TCP 80 (HTTP), inside a security group identified by the ID sg-12345678, within US East region (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-abcdabcd
	--protocol tcp
	--port 80
	--source-group sg-12345678

05 Run create-tags command (OSX/Linux/UNIX) using the ID of the newly created app-tier security group as identifier to create tags for managing the identity of the new resource. Use the following format when you define your own tag set: <app_tier_tag>:<app_tier_tag_value> and make sure the tag name (<app_tier_tag>) and the tag value (<app_tier_tag_value>) match the tag set used to organize your app-tier resources, copied at step no. 1. Replace <app_tier_tag> and <app_tier_tag_value> (highlighted) with your own values (the command does not produce an output):

aws ec2 create-tags
	--region us-east-1
	--resources sg-abcdabcd
	--tags Key=<app_tier_tag>,Value=<app_tier_tag_value>

06 Run modify-instance-attribute command (OSX/Linux/UNIX) using the EC2 instance ID and the compliant app-tier security group ID as parameters to replace the existing security group (noncompliant) with the new one created at step no. 2 within the network configuration of the selected app-tier EC2 instance (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-12345678901234567
	--groups sg-abcdabcd

07 Repeat step no. 6 to replace the necessary security group for other EC2 instances within the app tier.

08 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 7 to perform the remediation/resolution process for other regions.

References

AWS Documentation
Security Groups for Your VPC
Amazon EC2 Security Groups for Linux Instances
CIS Amazon Web Services Foundations

AWS Command Line Interface (CLI) Documentation
ec2
describe-security-groups
describe-tags
create-security-group
authorize-security-group-ingress
create-tags
modify-instance-attribute

Publication date Jul 25, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Create and Configure App-Tier Security Group

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related EC2 rules