Rule: VPC Security Groups Should Be Associated with at Least One ENI
Ensure VPC security groups are linked with a minimum of one Elastic Network Interface to enhance network security.
| Rule | VPC security groups should be associated with at least one ENI |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
This rule ensures that VPC security groups are associated with at least one Elastic Network Interface (ENI) to comply with the NIST 800-171 Revision 2 security standard. ENIs help control inbound and outbound traffic to instances in the Amazon Virtual Private Cloud (VPC).
Troubleshooting Steps:
- 1.Verify if all the VPC security groups have at least one associated ENI.
- 2.Identify any security groups that do not have an associated ENI.
- 3.Determine the reason why a security group might not have an associated ENI.
Remediation:
To remediate this rule and ensure compliance with the NIST 800-171 Revision 2 standard, the following steps can be followed:
- 1.Identify the security group(s) that do not have an associated ENI.
- 2.Determine if the security group(s) are required and should be associated with an ENI or if they can be removed.
- 3.If the security group(s) are required: a. Identify the corresponding ENI(s) that should be associated with the security group(s). b. If the ENI(s) do not exist, create them as needed. c. Associate the ENI(s) with the security group(s).
- 4.If the security group(s) can be removed: a. Determine if any resources are still using the security group(s) and update their configurations to remove the dependency on the security group(s). b. Once all dependencies are removed, delete the unnecessary security group(s).
Please note that the specific steps for remediation may vary based on your infrastructure setup and the tools you are using to manage it. The following AWS CLI commands can be used as a general guide for remediating this issue:
- 1.List all VPC security groups:
aws ec2 describe-security-groups
- 1.
Identify the security group(s) without an associated ENI.
- 2.
For each security group without an associated ENI: a. Identify the ENI(s) that should be associated with the security group. b. If the ENI(s) do not exist:
aws ec2 create-network-interface --subnet-id <subnet-id> --security-group-ids <security-group-id>
c. Associate the ENI(s) with the security group(s):
aws ec2 modify-network-interface-attribute --network-interface-id <network-interface-id> --groups <security-group-id>
- 1.If the security group(s) can be removed: a. Check if any EC2 instances are still using the security group(s). Update their configurations to remove the security group(s). b. Once all dependencies are removed, delete the unnecessary security group(s):
aws ec2 delete-security-group --group-id <security-group-id>
Repeat the above steps for each security group without an associated ENI until all VPC security groups comply with the NIST 800-171 Revision 2 standard.