Security Group Name Prefixed With 'launch-wizard'

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 On the EC2 Instances page, click inside the attributes filter box:

choose Security Group Name from the dropdown list and type launch-wizard for the attribute value. This filtering technique will help you to detect all the EC2 instances that are currently associated with security groups prefixed with "launch-wizard", in the current AWS region. If the filtering process returns one or more EC2 instances, there are security groups prefixed with "launch-wizard" in use within the selected region, therefore the specified instances are using security groups that are possibly unconfigured and insecure.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of the EC2 instances that are currently associated with security groups prefixed with "launch-wizard", available in the selected AWS region:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance.group-name,Values=launch-wizard-*"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return an empty table if there are no security groups prefixed with "launch-wizard" attached to EC2 instances or a table populated with instance IDs if security groups prefixed with "launch-wizard" are currently attached to EC2 instances, as shown in the following example:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-057995a269d8ce429  |
|  i-0cad2570c80fdbea1  |
+-----------------------+

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY, choose Security Groups.

04 Select the security group that you want to re-create (see Audit section part I to identify the right EC2 resource).

05 To replace the security groups prefixed with "launch-wizard" and assigned to your instance(s), create and configure a new EC2 security group and transfer any existing inbound/outbound rules to it. To create the necessary security group, perform the following actions:

1. Click the Actions dropdown button from the dashboard top menu and select Copy to new.
2. In the Create Security Group dialog box, provide the following details:
   • In the Security group name box, enter a name for your new custom security group. Use the naming conventions recommended for EC2 security groups.
   • In the Description box, provide a description to reflect the security group usage.
   • From the VPC dropdown list, select the appropriate VPC ID.
   • Inside the Inbound tab, review and configure the inbound rules copied automatically from the source security group, prefixed with "launch-wizard".
   • Inside the Outbound tab, review and configure the outbound rules copied automatically from the source security group.
   • Click Create button to create the new EC2 security group.

06 Now that the inbound and outbound rules are well-configured it is safe to replace the source security group with the new one within the EC2 instance(s) network configuration. To replace the security group prefixed with "launch-wizard", perform the following actions:

1. In the navigation panel, under INSTANCES section, choose Instances.
2. Select the EC2 instance that you want to reconfigure (see Audit section part I to identify the appropriate instances).
3. Click the Actions dropdown button from the dashboard top menu, select Networking and click Change Security Group.
4. In the Change Security Groups dialog box, uncheck the security group that you want to replace, prefixed with "launch-wizard", and check the newly created one.
5. Click Assign Security Groups to apply the changes.
6. Repeat steps b – e to replace the necessary security group(s) for other EC2 instances available in the current region.

07 Change the AWS region from the navigation bar and repeat the entire process for other regions.

01 Run describe-security-groups command (OSX/Linux/UNIX) to list the inbound and outbound rules for the security group that you want to replace, prefixed with "launch-wizard", available within the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--group-name "launch-wizard-1"

02 The command output should return the requested rules information (metadata):

{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "PrefixListIds": [],
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "UserIdGroupPairs": [],
                    "Ipv6Ranges": []
                }
            ],
            "Description": "launch-wizard-1 created 2018-01-12T14:13:54.719+02:00",
            "IpPermissions": [
                {
                    "PrefixListIds": [],
                    "FromPort": 22,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 22,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": [],
                    "Ipv6Ranges": []
                }
            ],
            "GroupName": "launch-wizard-1",
            "VpcId": "vpc-12345678",
            "OwnerId": "123456789012",
            "GroupId": "sg-abcd1234"
        }
    ]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up a new security group that will replace the one prefixed with "launch-wizard". The following command example creates a security group called "security-group-us-east-1-p-nginx" (using appropriate naming conventions) inside a VPC identified with the ID vpc-12345678, available within US East region:

aws ec2 create-security-group
	--region us-east-1
	--group-name security-group-us-east-1-p-nginx
	--description "Nginx Web Server Security Group"
	--vpc-id vpc-12345678

04 The command output should return the new security group ID:

{
    "GroupId": "sg-1234abcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier, to transfer the inbound information from the source security group to the newly created security group. If required, run the command as many times as needed by changing accordingly the --protocol, --port and --cidr parameter values in order to create all the ingress rules defined within the source security group (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-1234abcd
	--protocol tcp
	--port 22
	--cidr 172.31.50.120/32

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the new security group as identifier to transfer the outbound information from the security group prefixed with "launch-wizard" to the newly created one. If required, run the command as many times as needed by changing accordingly the --ip-permissions parameter value in order to create all the egress rules defined within the source security group (the command does not produce an output):

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-1234abcd
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run modify-instance-attribute command (OSX/Linux/UNIX) using the EC2 instance ID and the new security group ID as parameters to replace the security group prefixed with "launch-wizard" (possibly unconfigured and insecure) with the well-configured one created at step no. 3 within the network configuration of the selected EC2 instance (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-057995a269d8ce429
	--groups sg-1234abcd

08 Repeat steps no. 3 - 7 to replace the necessary security group(s) for other EC2 instances available in the current region

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the remediation/resolution process for other regions.