AWS-EC2-EC2-LaunchWizard-Security-Groups

Severity : High

Description: This controls ensures that Launch Wizard is using a custom security group instead of auto-generated security group by wizard. The Launch wizard auto create security group at launch, if not provided custom security group. This security group is not deleted at the deletion of deployment as SGs are considered shared. This leaves unused security Groups in the deployment. Also these security groups have rule which allow wide range of open ports which can allow unintended access to instances and data. AWS Well-Architect framework and best security practice recommend not to create unused security groups.

Remediation Steps:

Perform following to update security groups for the instances launched from Launch wizard:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to EC2 console.

3. In the Network and security, click Security Groups.

4. Click Create Security Group, provide new security group name, description, vpc.

5. In the Instances, select instance created by launch wizard.

6. Click Action, Networking and click change Security group.

7. Update the Security group by unchecking old group and checking new group. Click Assign Security Groups to apply the changes.

Important:

• When the deployment is complete, update the security group information by adjusting the port range and source information for deployment.

Reference:

• https://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-user-guide.pdf

• https://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-best-practices.html

•