acquires Cloud Conformity
Open menu

Security Group Rules Counts

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base Best practice rules for Amazon Web Services AWS EC2 Best Practices Security Group Rules Counts
Security
Performance
efficiency
Risk level: Low (generally tolerable level of risk)
Rule ID: EC2-014

Determine if there is a large number of inbound and outbound rules defined within your AWS EC2 security groups and reduce their number by removing any unnecessary or overlapping rules. To improve performance and efficiency Cloud Conformity recommends a default value of 50 for the maximum number of rules assigned to a security group, however, this value is configurable so you can adjust it based on your requirements.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Defining a large number of rules for a security group can increase the latency and impact the performance of the EC2 instances associated with the security group.

Note: The threshold for the maximum number of inbound and outbound rules set for this guide is 50 (recommended).

Audit

To determine if there are any EC2 security groups with more than 50 inbound and outbound rules defined, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the EC2 security group that you want to examine.

05 Click on the Show/Hide Columns button from the top-right menu:

Click on the Show/Hide Columns button from the top-right menu

select Inbound Rules Count and Outbound Rules Count attributes from the Security Group Attributes column and click Close.

06 Check the number of inbound and outbound rules defined for the selected security group, displayed in the Inbound Rules Count and Outbound Rules Count columns:

Inbound Rules Count and Outbound Rules Count</strong> columns

If the total number of inbound and outbound rules displayed is greater than 50, the selected EC2 security group exceeds the recommended threshold for the number of rules defined, therefore you must take actions to remove any unnecessary or overlapping rules in order to restore performance efficiency (see Remediation/Resolution section).

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 >Run describe-security-groups command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all EC2 security groups currently available in the selected region: 

aws ec2 describe-security-groups
	--region us-east-1
	--output table
	--query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested IDs: 

------------------------
|DescribeSecurityGroups|
+----------------------+
|  sg-5365d728         |
|  sg-45f90e15         |
|  sg-6e74d321         |
+----------------------+

03 Run describe-security-groups command (OSX/Linux/UNIX) using custom filtering to list all the rules defined for the selected security group:

  1. To list all the available inbound rules, run the following command (change the ID with your own security group ID): 
    aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-5365d728
	--query 'SecurityGroups[*].IpPermissions[]'
  2. The command output should return the requested security group rules metadata: 
    [
    {
        "PrefixListIds": [],
        "FromPort": 80,
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "ToPort": 80,
        "IpProtocol": "tcp",
        "UserIdGroupPairs": []
    },

    ...

    {
        "PrefixListIds": [],
        "FromPort": 25,
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "ToPort": 25,
        "IpProtocol": "tcp",
        "UserIdGroupPairs": []
    }

]
  3. To list all the available outbound rules, run the following command (change the ID with your own security group ID): 
    aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-5365d728
	--query 'SecurityGroups[*].IpPermissionsEgress[]'
  4. The command output should return the requested security group rules metadata: 
    [

    {
        "PrefixListIds": [],
        "FromPort": 80,
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "ToPort": 80,
        "IpProtocol": "tcp",
        "UserIdGroupPairs": []
    },

    ...

    {
        "PrefixListIds": [],
        "FromPort": 22,
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "ToPort": 22,
        "IpProtocol": "tcp",
        "UserIdGroupPairs": []
    }
]

    Each JSON object returned (highlighted) at step b. and d. represents an inbound/outbound rule metadata. If the number of metadata objects (rules) is greater than 50, the selected security group exceeds the recommended threshold for the number of rules defined, therefore the performance of the EC2 instance(s) associated with the security group can be degraded (see Remediation/Resolution section to remove any unnecessary rules).

04 Repeat step no. 3 to determine the number of inbound/outbound rules defined for each EC2 security group available in the current region.

05 Repeat steps no. 1 – 4 to perform the entire audit process for other AWS regions.

Remediation / Resolution

To remove any unnecessary or overlapping inbound/outbound rules from your EC2 security groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the appropriate EC2 security group (see Audit section to identify the right one(s)) and perform the following actions:

  1. To remove security group rules based on the traffic source or destination, choose one of the following options:
    • For inbound/ingress rules, select the Inbound tab from the dashboard bottom panel and click the Edit button.
    • For outbound/egress rules, select the Outbound tab from the dashboard bottom panel and click the Edit button.
  2. In the Edit inbound rules dialog box, identify any unnecessary, obsolete or overlapping rules and remove each unwanted rule by clicking the x button next to the rule entry.
  3. Click Save to apply the changes.

05 Repeat step no. 4 to update other EC2 security groups that exceed the threshold set for the number of inbound/outbound rules.

06 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the security group ID as identifier to remove any unnecessary inbound rules defined within the selected EC2 security group (the command does not return an output): 

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-5365d728
	--protocol tcp
	--port 389
	--cidr 54.164.53.101/32

02 Run revoke-security-group-egress command (OSX/Linux/UNIX) to remove any unnecessary outbound rules defined within the selected EC2 security group (the command does not produce an output): 

aws ec2 revoke-security-group-egress
	--region us-east-1
	--group-id sg-5365d728
	--protocol tcp
	--port 23
	--cidr 0.0.0.0/0

03 Change the --protocol, --port and/or --cidr parameters value based on your requirements and repeat step no. 1 and 2 to remove any unnecessary, obsolete or overlapping rules defined for the selected security group.

04 Repeat steps no. 1 – 3 to update other EC2 security groups that exceed the threshold set for the number of inbound/outbound rules using AWS CLI.

05 Repeat steps no. 1 - 4 to implement the entire process for other AWS regions.

References

Publication date Jun 19, 2016

Related EC2 rules

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to