Ensure that all the rules defined for your Amazon EC2 security groups have a description to help simplify your operations and remove any opportunities for operator errors. Adding descriptive text for security group rules will allow you to store locally useful information without the need to keep any documentation external and separated from the EC2 service. The information provided as description can be used for multiple purposes such as EC2/application firewall auditing, security group rules management, third-party auditing, etc. A rule description can be up to 255 characters long and can be defined and viewed from the AWS Management Console, AWS Command Line Interface (CLI) and using the AWS API.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
With security group rules descriptions, you simply gain more insight into the configuration of your firewall(s). You can define the purpose of the rule and the identity of the IP address next to the rule entry so it can be used for security group management (e.g. update source/destination IP addresses, remove obsolete rules, etc) and auditing (internal and external, compliance and forensic audits). As an admin, you must know who has access (and why) to your instances and your applications without the need for asking for the required details all the time. Rule descriptions should be visible to AWS Support as well, this could help resolve your EC2 related issues more quickly.
To determine if your EC2 security groups implement descriptive text for the existing rules, perform the following:
To add descriptive text to the rules within your existing EC2 security groups for organization and documentation, perform the following: