Ensure Network Interface Does Not Have Unrestricted Security Group Attached Rule
This rule ensures that network interfaces do not have unrestricted security groups attached.
| Rule | Ensure network interface does not have unrestricted security group attached |
| Framework | CloudDefense.AI Security |
| Severity | ✔ Critical |
Rule Description:
The rule "Ensure network interface does not have unrestricted security group attached for CloudDefense" ensures that network interfaces in your CloudDefense environment are not associated with security groups that have unrestricted access.
Rule Troubleshooting:
If this rule fails, it means that one or more network interfaces within your CloudDefense environment have unrestricted security group attachments. To troubleshoot this, follow these steps:
- 1.
Identify the network interfaces:
- Go to the EC2 dashboard in the AWS Management Console.
- Select "Network Interfaces" from the left-hand menu.
- Filter the network interfaces based on the criteria mentioned in the rule.
- 2.
Check associated security groups:
- Select a network interface that has failed the rule.
- In the details pane below, locate the "Security Groups" section.
- Note down the security group(s) associated with the network interface.
- 3.
Validate security group rules:
- Go to the EC2 dashboard in the AWS Management Console.
- Select "Security Groups" from the left-hand menu.
- Locate the security group(s) identified in the previous step.
- Review the inbound and outbound rules of the security group(s).
- Ensure that there are no rules that allow unrestricted access (e.g., 0.0.0.0/0 or ::/0).
- 4.
Update security group rules:
- If you identify any security groups with unrestricted access rules, modify the rules by following these steps:
- Select the security group.
- Click on the "Inbound Rules" or "Outbound Rules" tab, depending on the rule you want to modify.
- Edit the rules to restrict access by specifying specific IP ranges or sources.
- Save the modified rules.
- 5.
Revalidate the rule:
- Once you have updated the security group rules, re-run the evaluation for the rule to ensure compliance.
Relevant Code:
This rule does not require any specific code. However, you can use the AWS CLI or SDKs to automate the identification and modification of security group rules.
Remediation Steps:
Here are the step-by-step instructions to remediate the rule by using the AWS Command Line Interface (CLI):
- 1.
Identify the network interfaces:
aws ec2 describe-network-interfaces --filters "Name=tag:CloudDefense,Values=true" - 2.
Check associated security groups:
- Take note of the security group(s) associated with the network interface(s) failing the rule.
- 3.
Validate security group rules:
- Review the inbound and outbound rules for each security group identified in the previous step.
- 4.
Update security group rules:
- If any security group has unrestricted access, modify the rules to restrict access.
Example command to modify an inbound rule:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port> --source-cidr <source-cidr>Example command to modify an outbound rule:
aws ec2 revoke-security-group-egress --group-id <security-group-id> --protocol <protocol> --port <port> --destination-cidr <destination-cidr>Replace
,<security-group-id>
,<protocol>
,<port>
, or<source-cidr>
with the corresponding values for the rule you want to modify.<destination-cidr> - 5.
Revalidate the rule:
- After modifying the security group rules, re-run the evaluation for the rule to ensure compliance.
Note: Make sure you have appropriate AWS credentials configured and the AWS CLI properly installed to execute the commands successfully.