CloudWiki

Amazon Web Service (AWS)

Security Group

Security
A security group serves as a virtual firewall that consists of set of rules to control inbound and outbound traffic to EC2 instances within a VPC.
aws_security_group
Security Group
attributes:
  • description - (Optional, Forces new resource) Security group description. Defaults to Managed by Terraform. Cannot be "". NOTE: This field maps to the AWS GroupDescription attribute, for which there is no Update API. If you'd like to classify your security groups in a way that can be updated, use tags.
  • egress - (Optional, VPC only) Configuration block for egress rules. Can be specified multiple times for each egress rule. Each egress block supports fields documented below. This argument is processed in attribute-as-blocks mode.
  • ingress - (Optional) Configuration block for ingress rules. Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below. This argument is processed in attribute-as-blocks mode.
  • name_prefix - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name.
  • name - (Optional, Forces new resource) Name of the security group. If omitted, Terraform will assign a random, unique name.
  • revoke_rules_on_delete - (Optional) Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false.
  • tags - (Optional) Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • vpc_id - (Optional, Forces new resource) VPC ID. Defaults to the region's default VPC.

ingress

This argument is processed in attribute-as-blocks mode.

The following arguments are required:

  • from_port - (Required) Start port (or ICMP type number if protocol is icmp or icmpv6).
  • to_port - (Required) End range port (or ICMP code if protocol is icmp).
  • protocol - (Required) Protocol. If you select a protocol of -1 (semantically equivalent to all, which is not a valid value here), you must specify a from_port and to_port equal to 0. The supported values are defined in the IpProtocol argument on the IpPermission API reference. This argument is normalized to a lowercase value to match the AWS API requirement when using with Terraform 0.12.x and above, please make sure that the value of the protocol is specified as lowercase when using with older version of Terraform to avoid an issue during upgrade.

The following arguments are optional:

  • cidr_blocks - (Optional) List of CIDR blocks.
  • description - (Optional) Description of this ingress rule.
  • ipv6_cidr_blocks - (Optional) List of IPv6 CIDR blocks.
  • prefix_list_ids - (Optional) List of Prefix List IDs.
  • security_groups - (Optional) List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID.
  • self - (Optional) Whether the security group itself will be added as a source to this ingress rule.

egress

This argument is processed in attribute-as-blocks mode.

The following arguments are required:

  • from_port - (Required) Start port (or ICMP type number if protocol is icmp)
  • to_port - (Required) End range port (or ICMP code if protocol is icmp).

The following arguments are optional:

  • cidr_blocks - (Optional) List of CIDR blocks.
  • description - (Optional) Description of this egress rule.
  • ipv6_cidr_blocks - (Optional) List of IPv6 CIDR blocks.
  • prefix_list_ids - (Optional) List of Prefix List IDs.
  • protocol - (Required) Protocol. If you select a protocol of -1 (semantically equivalent to all, which is not a valid value here), you must specify a from_port and to_port equal to 0. The supported values are defined in the IpProtocol argument in the IpPermission API reference. This argument is normalized to a lowercase value to match the AWS API requirement when using Terraform 0.12.x and above. Please make sure that the value of the protocol is specified as lowercase when used with older version of Terraform to avoid issues during upgrade.
  • security_groups - (Optional) List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID.
  • self - (Optional) Whether the security group itself will be added as a source to this egress rule.

Associating resources with a
Security Group
Resources do not "belong" to a
Security Group
Rather, one or more Security Groups are associated to a resource.

Amazon EC2 instances

AWS Elastic Beanstalk

Amazon Elastic MapReduce

Amazon RDS (Relational Database Service)

Amazon Redshift

Amazon ElastiCache

Amazon CloudSearch

Amazon Managed Streaming for Apache Kafka (MSK)

Elastic Load Balancing

Lambda (running in a VPC mode)

ALB, NLB, ELB, GLB

VPC Endpoints

Create
Security Group
via Terraform:
The following HCL creates a security group that allows all ingress and egress traffic over all ports:

·      Security group with built-in rules as a single resource

·      Security group and security group rules as separate resources that are associated to each other

Syntax:

resource “aws_security_group” “test_security_group” {
 name = “test_security_group”
 vpc_id = aws_vpc.main.id
 ingress {
   from_port = 0
   to_port = 0
   protocol = “-1”
   cidr_blocks = [
     “0.0.0.0/0”]
 }
 egress {
   from_port = 0
   to_port = 0
   protocol = “-1”
   cidr_blocks = [
     “0.0.0.0/0”]
 }
 tags = {
   Name = “test_security_group”
 }
}

Create
Security Group
via CLI:
Parametres:

create-security-group
--description <value>
--group-name <value>
[--vpc-id <value>]
[--tag-specifications <value>]
[--dry-run | --no-dry-run]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-security-group —group-name MySecurityGroup —description “My security group”

aws ec2 authorize-security-group-ingress --group-id <sg_id> --protocol tcp --port 22 --cidr 10.0.0.0/8

Best Practices for
Security Group

Categorized by Availability, Security & Compliance and Cost

Critical
Ensure default security groups are not in use by ALB
Critical
Ensure default security groups are not in use by EC2
Critical
Ensure default security groups are not in use by ECS
Critical
Ensure default security groups are not in use by ELB
Critical
Ensure default security groups are not in use by ElastiCache
Critical
Ensure default security groups are not in use by Lambda
Critical
Ensure default security groups are not in use by MSK
Critical
Ensure default security groups are not in use by OpenSearch
Critical
Ensure default security groups are not in use by RDS
Critical
Ensure default security groups are not in use by VPC Endpoints
Warning
Ensure default security groups do not allow unrestricted traffic
Warning
Ensure launch wizard security groups are not in use by EC2
Warning
Ensure security groups do not have all ports open
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Critical
Ensure there is no unrestricted inbound access to TCP port 10250 (kubelet API)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 10257 (kube-controller-manager)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 10259 (kube-scheduler)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 11211 (Memcached)
Critical
Ensure there is no unrestricted inbound access to TCP port 11215 (Memchaced SSL)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 1434 (MSSQL)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 2181 (ZooKeeper)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
Critical
Ensure there is no unrestricted inbound access to TCP port 2375 (Docker)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 2376 (Docker)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 2379 (etcd)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 2380 (etcd)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 2382 (SQL)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 2383 (SQL Server Analysis)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 2484 (Oracle DB SSL)
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 2888 (ZooKeeper)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
Critical
Ensure there is no unrestricted inbound access to TCP port 4333 (mSQL)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 445 (SMB)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 4505 (Salt)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 4506 (Salt)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 5005 (Neo4j)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 5500 (VNC Listener)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 5601 (Kibana)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 5900 (VNC Server)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 5984 (CouchDB)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 61620 (OpsCenter)
Critical
Ensure there is no unrestricted inbound access to TCP port 61621 (Cassandra)
Critical
Ensure there is no unrestricted inbound access to TCP port 6379 (Redis)
Critical
Ensure there is no unrestricted inbound access to TCP port 6443 (Kubernetes API Server)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 7000 (Cassandra Internode)
Critical
Ensure there is no unrestricted inbound access to TCP port 7473 (Neo4j)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 7474 (Neo4j)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 8020 (Hadoop)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
Critical
Ensure there is no unrestricted inbound access to TCP port 8300, 8301, 8302(Consul)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 8888 (Cassandra)
Critical
Ensure there is no unrestricted inbound access to TCP port 9090 (Prometheus)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 9092 (Kafka)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 9093 (Prometheus)
No items found.
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 9300 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to UDP port 11211 (Memcached)
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to UDP port 69 (TFTP)
No items found.
Warning
Resource is Internet facing
Info
S3 Bucket changes alarm
Explore all the rules our platform covers
All Resources